The Agent Skills Directory

[Indirect Prompt Injection] (HIGH): The skill is designed to ingest untrusted data through the $ARGUMENTS placeholder within <issues> tags. This input drives the behavior of multiple subagents capable of writing code and managing repositories.
Ingestion points: File SKILL.md via <issues>$ARGUMENTS</issues>.
Boundary markers: Uses XML-style <issues> tags, but lacks explicit instructions to ignore embedded commands within that data.
Capability inventory: Includes code implementation (/code command), repository modification (git-manager), and internet research (researcher).
Sanitization: No sanitization or validation of the input data is present.
[Command Execution] (MEDIUM): The skill explicitly utilizes the /code command and subagents like debugger to perform actions on the local environment. When combined with untrusted input, this increases the risk of arbitrary code execution through the planner-to-code pipeline.
[External Downloads] (LOW): The researcher subagent is instructed to perform internet searches, which introduces external content into the reasoning chain, potentially leading to multi-step injection attacks.

fix-hard