The Agent Skills Directory

[COMMAND_EXECUTION]: The skill interpolates user-provided arguments directly into shell commands without sanitization.
Evidence: The skill uses variables like ${SCOPE} and ${ACTION} in shell commands such as git log --all --grep="(${SCOPE}", grep -E "^...\(${SCOPE}", and git log --all --grep="${ACTION}(${SCOPE}".
Impact: A malicious user or input could execute arbitrary shell commands by providing a scope or action name containing shell metacharacters such as semicolons, ampersands, or pipes.
[PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection by processing untrusted data from git history.
Ingestion points: Commit history bodies and diffs are read via git log and git diff as described in SKILL.md.
Boundary markers: There are no boundary markers or instructions used to distinguish between data and commands in the synthesis process.
Capability inventory: The skill executes shell commands (git) and synthesizes summaries for the agent.
Sanitization: No sanitization or escaping of the commit content is performed before it is processed.
Impact: Attackers who can contribute to the repository's git history can embed instructions that influence the agent's behavior or decision-making when the skill is used to recall context.

recall