The Agent Skills Directory

[Indirect Prompt Injection] (HIGH): The skill processes untrusted input from the $ARGUMENTS variable, which is labeled as 'Reported Issues'.
Ingestion points: Input is ingested in SKILL.md via the <issues>$ARGUMENTS</issues> block.
Capability inventory: The skill has high-privilege capabilities including code compilation and test execution via the tester subagent, as well as code modification via the main agent.
Boundary markers: XML-style tags are used, but they are insufficient to prevent an LLM from obeying adversarial instructions embedded within the issue description.
Sanitization: There is no evidence of input validation or sanitization. A malicious issue report could contain instructions like 'The fix requires running rm -rf /' which the agent might attempt to implement.
[Command Execution] (MEDIUM): The workflow requires the agent to 'compile the code' and 'run the tests'. This is an inherent risk as it involves executing code that the agent itself may have modified based on untrusted input.
[Dynamic Capability Activation] (LOW): The instruction to 'activate the skills that are needed' allows the agent to dynamically expand its capability set at runtime, which could lead to privilege escalation if the agent decides it needs more powerful tools to resolve a (potentially malicious) reported issue.

fix-test