The Agent Skills Directory

[COMMAND_EXECUTION]: The skill is vulnerable to shell command injection in the duplicate detection logic.
Evidence: In modules/issue-templates.md, the logic for duplicate detection uses: gh issue list --search "{{COMMAND}} OR {{ERROR_EXCERPT}}".
Impact: The variables {{COMMAND}} and {{ERROR_EXCERPT}} are populated from untrusted command outputs. An attacker-controlled output containing shell metacharacters (e.g., backticks, $(), or ;) could execute arbitrary commands on the system when the agent attempts to search for duplicates.
[DATA_EXFILTRATION]: The skill captures potentially sensitive command outputs and uploads them to external git platforms without sanitization.
Evidence: SKILL.md (Phase 4) and modules/issue-templates.md show that {{OUTPUT_EXCERPT}} and {{COMMAND}} are used to populate the body of GitHub/GitLab issues.
Impact: If a monitored command accidentally prints secrets (e.g., environment variables, tokens, or credentials), this data will be exfiltrated and stored in a persistent, potentially public issue tracker.
[PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection from monitored data.
Ingestion points: Command outputs and error messages are ingested into the agent context in SKILL.md and modules/detection-patterns.md.
Boundary markers: Absent. The templates in modules/issue-templates.md interpolate raw data without delimiters or instructions to ignore embedded commands.
Capability inventory: The skill can execute shell commands via Bash, interact with GitHub via gh, and modify files via TodoWrite.
Sanitization: Absent. Untrusted command outputs are used directly to generate "Root Cause Analysis" and "Suggested Fixes".
Impact: Malicious instructions hidden in command outputs or log files could influence the agent's behavior during the analysis phase or lead it to suggest harmful "fixes".

workflow-monitor