The Agent Skills Directory

[COMMAND_EXECUTION]: The skill utilizes high-privilege operations via the GitHub CLI (gh), specifically the --admin flag when merging PRs. This allows the agent to bypass repository-level safeguards like required status checks or peer reviews. It also performs git push --force-with-lease, which can overwrite repository history.
[COMMAND_EXECUTION]: The skill employs dynamic context injection in SKILL.md using the ! syntax to execute ${CLAUDE_PLUGIN_ROOT}/bin/ops-merge-scan automatically upon loading. This results in the execution of a shell script provided by the skill before any user interaction.
[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection by processing external data from GitHub to drive autonomous code changes.
Ingestion points: The agent reads PR review comments via the GitHub API and CI failure logs in Phase 3.
Boundary markers: Absent. There are no delimiters or instructions provided to the sub-agents to treat content from logs or comments as untrusted data.
Capability inventory: The fixer agents have access to Write, Edit, and Bash tools, allowing them to modify files and push changes to remote repositories.
Sanitization: Absent. The skill does not implement any validation or filtering for instructions hidden within PR comments or CI output.
[CREDENTIALS_UNSAFE]: The instructions direct the agent to retrieve sensitive credentials, such as the GITHUB_TOKEN, from the environment or by invoking the Doppler CLI (doppler secrets get). Accessing secret managers programmatically increases the potential impact if the agent's logic is subverted.

ops-merge