The Agent Skills Directory

Indirect Prompt Injection (HIGH): The skill exhibits a high-risk attack surface by ingesting untrusted repository data (branch names, commit lists) and using it to drive destructive operations like branch deletion (git branch -D) and worktree removal without sanitization. Ingestion points: Step 2 (base branch) and Step 4 (commit list). Boundary markers: None. Capability inventory: git branch -D, git worktree remove, npm test, gh pr create. Sanitization: None.\n- Unverifiable Dependencies & Remote Code Execution (MEDIUM): Step 1 executes the project's test suite (npm test, cargo test, etc.). Since these commands run scripts defined within the local repository, a compromised repository could execute arbitrary malicious code.\n- Command Execution (MEDIUM): Performs destructive shell operations including git branch -D and git worktree remove based on repository state.\n- Data Exfiltration (LOW): The skill pushes code to remote origins and uses the GitHub CLI to create Pull Requests. While functional, this represents a path for local data to leave the environment.\n- Dynamic Execution (MEDIUM): The skill generates and executes shell commands dynamically based on repository state and user choice, particularly in the test verification and PR creation steps.

finishing-a-development-branch