The Agent Skills Directory

DATA_EXFILTRATION (HIGH): The skill explicitly sources ~/.zshrc to load the GH_TOKEN. Shell configuration files like .zshrc are highly sensitive as they often contain numerous API keys, environment variables, and private aliases. Loading these into the active environment increases the risk of accidental or malicious exposure.
COMMAND_EXECUTION (MEDIUM): The skill performs multiple shell operations including source, git remote, sed for string parsing, and node -e for JSON parsing. These operations are performed on data derived from the local file system.
PROMPT_INJECTION (LOW): The skill is vulnerable to Indirect Prompt Injection (Category 8). It reads content from README.md, package.json, and other project files to automatically generate a repository description. An attacker could embed malicious instructions in these files to trick the AI into including sensitive environment variables (from .zshrc) in the generated description sent to the public GitHub API. * Ingestion points: SKILL.md (Phase 2.2, 3.2, 4.2) identifies README.md, package.json, pyproject.toml, and others as sources. * Boundary markers: Absent. No delimiters or instructions are used to prevent the agent from obeying instructions found within these files. * Capability inventory: gh repo edit --description, gh repo edit --homepage, and gh repo edit --add-topic provide a path to exfiltrate data to GitHub. * Sanitization: Absent. The skill does not sanitize the content read from files before using it to generate API parameters.

GitHub About