The Agent Skills Directory

[Indirect Prompt Injection] (HIGH): The skill reads untrusted data from the git working directory (unstaged, staged, and untracked files) and uses this content to determine how to group changes and what commit messages to write. This creates a significant attack surface where instructions embedded in code or comments within the files could influence the agent's behavior.
Ingestion points: SKILL.md (instructions to read all uncommitted changes, including unstaged and untracked files).
Boundary markers: None. No instructions are provided to the agent to ignore instructions embedded within the files being committed.
Capability inventory: Bash(git:*) (capability to commit, modify files like 'beans' for status updates, and push to remote repositories).
Sanitization: None. The agent is encouraged to interpret the 'semantic meaning' of changes, which is a prime vector for prompt injection.
[Command Execution] (MEDIUM): The skill mandates an automatic git push to a remote repository after any commit. While standard for git workflows, performing this automatically on data derived from un-sanitized file content allows for immediate exfiltration of potentially malicious commits triggered by indirect injection.
[Data Exposure] (LOW): The skill reads the entire working directory including untracked files, which may contain sensitive configuration or environment files (.env, etc.) not yet ignored by .gitignore, potentially including them in commits.

committer