The Agent Skills Directory

[Indirect Prompt Injection] (HIGH): The skill clones external repositories and writes their content into the project root. This is a primary attack surface for Indirect Prompt Injection because the agent is instructed to trust and deploy external content without sanitization.
Ingestion points: phases/04-execution.md (Step 3) where repositories from a catalog are cloned.
Boundary markers: Absent. The skill contains no instructions to ignore malicious commands embedded in templates.
Capability inventory: Bash (git clone, rm -rf), Write (file creation), and Read (file content extraction).
Sanitization: Explicitly forbidden by the skill instructions, which mandate 'direct copy' (禁止重写, 禁止参考模板后重新编写) except for basic variable replacement.
[Remote Code Execution] (HIGH): By writing downloaded YAML files to .github/workflows/, the skill enables Remote Code Execution on the user's GitHub Actions infrastructure. An attacker controlling a referenced template repository could execute arbitrary code when the user pushes the generated files.
Evidence: Phase 4 Step 4 and Step 5 automate the creation of workflows from remote sources like actions/starter-workflows and untrusted repositories like stevemao/github-issue-templates.
[Prompt Injection] (MEDIUM): The skill uses authoritative constraints (CRITICAL CONSTRAINTS, ⚠️ 禁止自行编写配置文件) to force the agent to ignore its own safety training and internal knowledge base in favor of external, potentially malicious data.
Evidence: SKILL.md states: '禁止凭空生成... 不允许跳过下载步骤直接写文件，即使 Claude 知道如何编写'.
[Command Execution] (MEDIUM): The skill uses the Bash tool to perform operations with high privileges, including rm -rf and git clone with user-provided or catalog-provided URLs.
Evidence: Phase 4 Step 7 executes rm -rf .gh-bootstrap-cache/, which could be exploited if path variables are manipulated.

gh-bootstrap