The Agent Skills Directory

[COMMAND_EXECUTION]: The skill interpolates variables like {number} and {package_path} directly into shell commands without apparent sanitization. Evidence: Commands in Phase 1 (gw gh pr view {number}) and Phase 3 (cd {package_path} && bun svelte-check). Risk: An attacker could potentially execute arbitrary commands by providing a malicious PR number or by manipulating the repository structure to influence the package path calculation.
[PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection as it ingests and processes untrusted data from pull request diffs and metadata. Ingestion points: SKILL.md describes fetching PR metadata and diffs using gw gh pr view and gw gh pr diff in Phase 1. Boundary markers: The skill does not define specific delimiters or instructions to ignore potential commands embedded in the PR data. Capability inventory: The skill has access to shell execution (gw, bun, tsc). Sanitization: There is no evidence of sanitization or validation of the content retrieved from the PR.
[EXTERNAL_DOWNLOADS]: The skill relies on external CLI tools and packages, primarily from the @autumnsgrove scope. Evidence: Use of gw CLI and various @autumnsgrove/* SDKs mentioned in references/compliance-checks.md. Context: These are vendor-owned resources and are considered expected dependencies for the skill's functionality.

crane-audit