The Agent Skills Directory

[Command Execution] (HIGH): The skill is designed to execute shell commands automatically without user approval.
Evidence: The '约束规则' (Constraint Rules) section explicitly states: '自动化执行：分析并直接执行命令，无需二次确认' (Automated execution: analyze and directly execute commands without secondary confirmation).
Risk: Bypassing human-in-the-loop confirmation for write-access operations like git commit and git push allows any logic error or malicious injection to have immediate, non-reversible effects on the repository.
[Indirect Prompt Injection] (HIGH): The skill ingests untrusted data from the codebase to drive its logic.
Ingestion points: Uses git diff (SKILL.md, Workflow Step 1) to analyze changes.
Boundary markers: None. The skill does not implement delimiters or instructions to ignore embedded commands within the diff content.
Capability inventory: Has the power to create persistent history (git commit) and transmit data to remote servers (git push).
Sanitization: None detected.
Risk: An attacker could place malicious instructions in a code comment or documentation file. When the agent runs git diff, it may interpret those instructions as part of its task, leading to 'Prompt Leakage' in commit messages or 'History Pollution'.
[Data Exfiltration] (MEDIUM): The skill performs network operations to remote repositories.
Evidence: Workflow step 5: '执行 git push 同步至远程'.
Risk: Combined with the lack of confirmation, the agent could be tricked into pushing sensitive files (e.g., .env or keys accidentally added to the git index) to a remote server before the user can intervene.

commit