The Agent Skills Directory

PROMPT_INJECTION (HIGH): The skill explicitly instructs the agent to use a specific naming convention (NOJIRA:) to bypass organizational JIRA enforcement checks. Additionally, the skill is highly vulnerable to Indirect Prompt Injection. Ingestion points: Untrusted data enters the context via gh pr view, gh issue view, and gh api (found in SKILL.md and pr_operations.md). Boundary markers: Absent. No delimiters or 'ignore' instructions are provided to separate user data from system instructions. Capability inventory: Powerful capabilities include gh pr merge, gh pr review --approve, gh secret set, and gh workflow run. Sanitization: Absent. External content is interpolated directly into logic/decision-making without validation.
COMMAND_EXECUTION (HIGH): The reference files (best_practices.md, pr_operations.md) utilize complex shell patterns including xargs and command substitution. These patterns are susceptible to injection if untrusted metadata from GitHub (like branch names or PR titles) is processed without strict escaping.
REMOTE_CODE_EXECUTION (HIGH): Through gh workflow run, the skill can trigger arbitrary code execution in the GitHub Actions environment, which can be weaponized if the agent is influenced by untrusted data.
EXTERNAL_DOWNLOADS (MEDIUM): The gh run download command fetches remote artifacts and logs without integrity verification, allowing untrusted data into the agent's environment.
DATA_EXFILTRATION (MEDIUM): The skill provides instructions for accessing repository secrets (gh secret list) and raw API data, which could be exfiltrated by a compromised agent.
CREDENTIALS_UNSAFE (LOW): Provides examples of hardcoded-style tokens and environment variables (GH_TOKEN=ghp_...), which may lead to insecure credential handling.

github-ops