The Agent Skills Directory

Prompt Injection (LOW): The skill is susceptible to indirect prompt injection because it instructs a subagent to read and analyze external GitHub Actions logs. A malicious actor could embed instructions within CI logs to influence the agent's behavior or the generated plan. Evidence Chain: 1. Ingestion points: External data enters via the github-actions-url argument. 2. Boundary markers: Absent; there are no specified delimiters or instructions to ignore embedded commands in the logs. 3. Capability inventory: The skill can spawn a subagent, write files (plan.md), and execute commands (/plan-review). 4. Sanitization: Absent; no mention of content filtering or validation for the log data.

plan-ci