The Agent Skills Directory

[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it is designed to read and process data from external, potentially attacker-controlled sources on GitHub.
Ingestion points: Data enters the agent's context through tools like github.get_file_contents, searchCode, searchIssues, and getPullRequestFiles as described in SKILL.md.
Capability inventory: The agent possesses powerful capabilities including Bash access and the ability to modify repository states via mcporter and mcp__github__* tools.
Boundary markers: The skill does not implement delimiters or system-level instructions to ignore embedded commands within the fetched GitHub data.
Sanitization: No sanitization or validation logic is present to filter malicious instructions out of Issue descriptions, PR comments, or code files before they are interpreted.
[COMMAND_EXECUTION]: The skill includes Python and Bash code examples that demonstrate how to execute the mcporter CLI tool using dynamic argument assembly.
Evidence: In SKILL.md, a Python script uses subprocess.run to call the GitHub automation tool. If the payload object is populated with unsanitized data from a user or an external GitHub source, it could lead to command injection or the execution of unintended API calls.

github-automation