The Agent Skills Directory

Indirect Prompt Injection (MEDIUM): The skill possesses a significant attack surface for indirect prompt injection by design. It ingests untrusted data from external sources and interpolates it into a prompt for AI analysis.
Ingestion points: The skill reads the contents of agents.md (or similar files) and recent commit messages/patterns from GitHub repositories (scripts/lib/analysis/agents.sh and scripts/commands/sync.sh).
Boundary markers: In prompts/agent-analysis.md, untrusted content such as {{ agent_content }} and {{ commit_samples }} is wrapped in markdown code blocks, but there are no explicit instructions to the AI to ignore instructions embedded within that data.
Capability inventory: While the skill itself only generates suggestions and does not automatically execute them, the output is intended to directly influence the developer's agent instructions, creating a vector for social engineering or 'jailbreaking' the developer's local AI environment.
Sanitization: Content is escaped for SQL safety (e.g., sed "s/'/''/g" in scripts/lib/db.sh), but there is no sanitization or filtering to prevent prompt injection payloads within the ingested text.
Persistence Mechanisms (LOW): The installation instructions in README.md require the user to modify their shell environment, which is a common persistence vector.
Evidence: echo 'export PATH="$PATH:'$(pwd)'/scripts"' >> ~/.bashrc in README.md and scripts/setup.sh documentation.
Command Execution (LOW): The skill relies on local execution of the gh, sqlite3, and jq binaries. While these are trusted system utilities, the script constructs shell commands using repository metadata.
Evidence: gh api and sqlite3 calls throughout the scripts/ directory.

god-mode