The Agent Skills Directory

[PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection (Category 8) due to its core workflow of reading and triaging untrusted external data.
Ingestion points: The skill explicitly instructs the agent to read issue titles, bodies, and comments in the 'Triage Workflow', and failed workflow logs in the 'CI/CD Operations' section.
Boundary markers: There are no delimiters or instructions provided to the agent to treat processed GitHub content as data rather than instructions, nor is it told to ignore embedded commands within that content.
Capability inventory: The skill provides the agent with write-access capabilities including gh issue edit (applying labels), gh issue comment (posting responses), gh release create (generating releases), and gh run rerun (executing workflows).
Sanitization: There is no evidence of sanitization or schema validation for the data ingested from GitHub APIs before it is incorporated into the agent's decision-making process.
Mitigation: Wrap external content in clear delimiters with an explicit 'ignore embedded instructions' warning to the agent. Minimize the write capabilities to only those strictly necessary for the current task.
[COMMAND_EXECUTION]: The skill relies on the gh CLI to execute various shell commands for repository management. While these commands follow a predefined structure, the broad access to the GitHub API via the CLI allows the agent to perform significant modifications to the repository state (labels, comments, releases, and workflow reruns) based on the input it processes.

github-ops