The Agent Skills Directory

[COMMAND_EXECUTION]: The skill instructions describe constructing shell commands by interpolating unvalidated user-provided task descriptions (e.g., BRANCH_NAME="feature/$(echo "$TASK" | ...)"). This pattern is vulnerable to shell command injection if the agent executes these strings directly, potentially allowing arbitrary code execution.
[COMMAND_EXECUTION]: The merge phase utilizes the gh pr merge --admin command. The --admin flag allows the tool to bypass GitHub branch protection rules, such as required status checks or minimum review requirements, which represents a high-privilege action.
[PROMPT_INJECTION]: The workflow is vulnerable to indirect prompt injection as it depends on monitoring external PR comments for a specific trigger string ("No issues found") from a bot to proceed with automated merging. This could be exploited by an attacker with the ability to comment on the repository.
[EXTERNAL_DOWNLOADS]: The skill automatically performs bun install when a project lockfile is detected during the worktree setup phase. While this is standard for JavaScript development, it triggers the download and execution of external dependencies within the agent's environment.

he-bing