The Agent Skills Directory

[COMMAND_EXECUTION]: The skill constructs shell commands by directly interpolating the <title> variable extracted from $ARGUMENTS. While the <slug> is validated against a safe regex, the title (defined as everything after the first colon) is used directly inside double-quoted strings in commands like git commit -m "plot: <title>" and gh pr create --title "Plan: <title>". An attacker could provide a title such as My Title" ; malicious_command ; # to break out of the string and execute arbitrary shell commands.
[COMMAND_EXECUTION]: Configuration values read from the project's CLAUDE.md file, such as <project board name>, are interpolated into shell commands (e.g., gh pr edit <number> --add-project "<project board name>"). If a repository contains a maliciously crafted CLAUDE.md, it can trigger command execution when the skill is run.
[PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection via the processing of untrusted data from the user and the repository environment.
Ingestion points: The $ARGUMENTS variable provided by the user and the CLAUDE.md configuration file found in the repository (SKILL.md steps 1 and 7).
Boundary markers: No boundary markers or delimiters are used to wrap the interpolated content, nor are there instructions to the agent to ignore embedded commands within these fields.
Capability inventory: The skill possesses extensive capabilities including branching, committing, and pushing code (git), as well as creating and editing pull requests (gh CLI), and writing to the local filesystem (mkdir, ln, cat).
Sanitization: Sanitization is only applied to the slug field (regex [a-z0-9-]+). No sanitization, escaping, or validation is performed on the title field or the configuration values extracted from CLAUDE.md.

plot-idea