The Agent Skills Directory

[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection as it processes untrusted input from GitHub pull requests, including titles, bodies, and code diffs.
Ingestion points: The skill fetches external data using gh pr view and gh pr diff commands as described in SKILL.md.
Boundary markers: The instructions lack explicit delimiters or specific negative constraints to prevent the agent from following instructions embedded within the processed PR content.
Capability inventory: The skill has access to powerful tools including Bash, Read, Write, Edit, and the ability to spawn multiple specialized sub-agents, creating a significant attack surface if the agent is successfully manipulated.
Sanitization: There is no evidence of sanitization or filtering of the ingested PR content before it is passed to the analysis agents.
[COMMAND_EXECUTION]: The skill relies heavily on the Bash tool to perform its primary functions.
It executes gh CLI commands to interact with GitHub and runs local build, lint, and test commands defined in references/validation-commands.md.
PR identifiers and other metadata are interpolated into shell command strings, which is a necessary part of the workflow but reinforces the need for caution if the agent's context is compromised.

review-pr