The Agent Skills Directory

[PROMPT_INJECTION]: The skill is susceptible to Indirect Prompt Injection because it ingests and processes untrusted content from GitHub release notes.
Ingestion points: Release notes are fetched via gh release view in SKILL.md and parsed to summarize changes.
Boundary markers: Absent. The instructions do not provide specific delimiters or 'ignore' instructions to prevent the agent from following commands embedded within the release markdown.
Capability inventory: The skill has the ability to execute gh CLI commands, perform web searches, and generate text output based on the parsed data.
Sanitization: Absent. The skill performs summarization and transformation of external text without explicit filtering or sanitization of potential command patterns.
[COMMAND_EXECUTION]: The skill instructs the agent to execute several gh CLI commands using variables sourced from external and potentially untrusted data.
Evidence: Commands such as gh release view <tag> in SKILL.md and gh api users/<username> in references/handle-verification.md use parameters extracted from release notes and contributor lists. While gh is a well-known and trusted tool, the interpolation of external strings into shell commands represents a vulnerability surface if the underlying agent does not properly escape or handle these arguments.

release-tweet