The Agent Skills Directory

Command Execution (HIGH): The skill constructs and executes shell commands using the gh CLI by interpolating project names and repository identifiers extracted from untrusted external sources (web articles, URLs, and screenshots) without any sanitization or escaping.
Evidence: Step 2 and Step 4 in SKILL.md show the use of gh search repos "项目名" and gh repo star owner/repo where the variables are populated from external content.
Risk: An attacker can include shell metacharacters (e.g., ;, |, `) in a webpage or image to execute arbitrary code on the user's machine.
Data Exposure & Exfiltration (HIGH): The skill requires a high-privilege GITHUB_TOKEN with the repo scope to function. Combined with the command injection vulnerability, this sensitive credential is at high risk of being exfiltrated to an attacker.
Evidence: config/.env.example and references/github-config.md instruct users to provide and export a token with full repository access.
Indirect Prompt Injection (LOW): The skill provides a significant attack surface for indirect prompt injection by ingesting untrusted third-party data to drive automated actions.
Ingestion points: Web extraction via URLs and OCR text extraction from screenshots (SKILL.md Step 1).
Boundary markers: Absent. There are no delimiters or instructions to help the agent distinguish between data and malicious instructions.
Capability inventory: The skill has the ability to execute shell commands, search GitHub, and modify the user's account (starring repos).
Sanitization: Absent. The logic assumes extracted text is a valid project name and passes it directly to the system shell.
Privilege Escalation (HIGH): The skill documentation recommends that users use sudo to install dependencies, which is a high-privilege operation.
Evidence: SKILL.md recommends sudo apt install gh for Linux users.

github-auto-star