The Agent Skills Directory

[COMMAND_EXECUTION]: The skill uses shell interpolation for the BRANCH and TARGET variables within bash blocks. The validation check case "$BRANCH$TARGET" in *['$!']*) is inadequate because it fails to filter many dangerous shell metacharacters such as semicolons (;), pipes (|), ampersands (&), and redirects (>, <`). If the agent environment interpolates these variables into shell strings, it creates a risk of command injection.
[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection. In Phase 2d, the agent is directed to execute git log and git diff and then "analyze divergence" using a decision matrix. Because commit messages and file diffs are untrusted data that can be influenced by external parties, and the skill provides no boundary markers or delimiters to isolate this content, an attacker could embed malicious instructions in the git history to override agent logic and force unauthorized merges or other actions. Evidence of this vulnerability is found in SKILL.md where the agent's reasoning capability is directly applied to uncleaned tool output.

local-merge