The Agent Skills Directory

[PROMPT_INJECTION]: The skill provides patterns for processing untrusted data from GitHub (Pull Request diffs, issue bodies, and comment text) directly within AI prompts without boundary markers or sanitization, creating a surface for indirect prompt injection.\n
Ingestion points: PR diffs in Section 1.1, issue content in Section 2.1, and comment text in Section 5.1.\n
Boundary markers: Prompts use simple interpolation without delimiters or instructions to ignore embedded commands.\n
Capability inventory: AI output is used to perform repository actions such as creating reviews, labels, and comments.\n
Sanitization: Untrusted data is not sanitized or escaped before being included in prompts.\n- [COMMAND_EXECUTION]: Several patterns in the skill are vulnerable to command injection. In Section 5.1, untrusted comment text is interpolated directly into a shell command in a run block (echo "..." | sed ...). Additionally, the smartCherryPick code snippet in Section 4.2 uses exec with template literals for git operations, which is risky if inputs are derived from unsanitized commit metadata.\n- [EXTERNAL_DOWNLOADS]: The skill uses external dependencies and actions, including the @anthropic-ai/sdk Node package and several well-known GitHub Actions (e.g., actions/checkout@v4, actions/github-script@v7, actions/stale@v9, and slackapi/slack-github-action@v1).

github-workflow-automation