The Agent Skills Directory

[COMMAND_EXECUTION]: Multiple scripts, including actions.sh, issues.sh, prs.sh, releases.sh, and repos.sh, utilize the eval command to execute shell strings constructed from variable inputs. Variables such as --title, --body, --ref, and --inputs are not properly escaped or sanitized before being passed to eval. This allows an attacker who can influence these metadata fields (e.g., via a malicious pull request title or a specially crafted branch name) to execute arbitrary commands on the system running the agent.
[PROMPT_INJECTION]: The skill processes untrusted data from GitHub, which serves as a significant attack surface for indirect prompt injection. Malicious instructions embedded in repository files, comments, or discussions could override the agent's behavior.
Ingestion points: Untrusted data enters the context via repos.sh (contents and blobs), issues.sh (issue details and comments), prs.sh (PR details, comments, and diffs), discussions.sh (discussion content and comments), and search.sh (code and issue search).
Boundary markers: No boundary markers or 'ignore' instructions are used when fetching external data.
Capability inventory: The skill possesses extensive capabilities including file system write access (via releases.sh and actions.sh), and the ability to modify remote repository state and trigger CI/CD workflows.
Sanitization: No sanitization or validation is applied to data retrieved from GitHub before it is presented to the AI agent.

github-ops