The Agent Skills Directory

[Indirect Prompt Injection] (HIGH): The skill is highly vulnerable to Indirect Prompt Injection as it directly ingests untrusted data from the local environment.
Ingestion points: Uses git diff, git diff --stat, and git diff --cached to read the contents of the current working tree and staged changes (SKILL.md, steps 1 & 4).
Boundary markers: There are no explicit delimiters or instructions provided to the agent to ignore instructions embedded within the code diffs it reads.
Capability inventory: The agent can execute arbitrary shell commands including git commit, npm run, ruff, and cargo (SKILL.md, step 7).
Sanitization: No sanitization or filtering of the file content is performed before it is processed by the agent.
[Command Execution] (HIGH): The workflow (Step 7) explicitly instructs the agent to run local execution commands such as npm run format, npm run lint, and cargo fmt. These commands execute scripts defined in the repository's configuration (e.g., package.json, Cargo.toml). In an untrusted or malicious repository, these scripts could execute arbitrary malicious code on the host system.
[Data Exposure & Exfiltration] (LOW): Although the skill includes a manual 'sanity check' for secrets in step 4, the agent naturally gains visibility into potentially sensitive code and environment configurations during the diffing and linting process. There is no evidence of network exfiltration, but the ingestion of sensitive files (Category 2) is inherent to the git workflow.

git-commit-bullets