The Agent Skills Directory

[COMMAND_EXECUTION] (HIGH): The skill executes shell commands defined by the project's environment (e.g., npm test, cargo test, pytest). If the repository being handled is untrusted, these commands can lead to arbitrary code execution via malicious scripts in files like package.json, Makefile, or tox.ini.- [PROMPT_INJECTION] (HIGH): The skill is highly susceptible to Indirect Prompt Injection (Category 8). Evidence: 1. Ingestion points: Reads repository contents and commit history to generate PR summaries. 2. Boundary markers: None identified to separate untrusted repo data from agent instructions. 3. Capability inventory: Significant capabilities including branch deletion (git branch -D), file transmission (git push), and interaction with external platforms (gh pr create). 4. Sanitization: None. An attacker could embed instructions in a commit message that the agent might follow when preparing the PR.- [REMOTE_CODE_EXECUTION] (MEDIUM): While it does not download direct shell scripts via curl|bash, the reliance on git pull from remote origins and the subsequent execution of local scripts creates a vector for RCE from compromised remote repositories.- [DATA_EXFILTRATION] (MEDIUM): Commands like git push and gh pr create transmit local repository data to external services. If the agent is manipulated into including environment variables or secret files in the PR body (e.g., through Indirect Prompt Injection), this serves as an exfiltration path.

finishing-a-development-branch