The Agent Skills Directory

[COMMAND_EXECUTION]: The skill incorporates the $ARGUMENTS variable directly into shell commands in SKILL.md (e.g., gh issue view $ARGUMENTS and gh issue comment $ARGUMENTS). This pattern is vulnerable to command injection if the execution environment does not sanitize the input, allowing an attacker to execute arbitrary code by including shell metacharacters in the issue reference.
[DATA_EXFILTRATION]: The instructions direct the agent to search for and read sensitive files such as .env files and application logs to identify configuration details like port numbers. This behavior leads to the exposure of potentially sensitive environment variables and credentials stored within those files.
[PROMPT_INJECTION]: By fetching and analyzing untrusted content from GitHub issues and comments, the skill is vulnerable to indirect prompt injection. A malicious actor could craft an issue containing instructions that hijack the agent's logic to perform unauthorized actions, such as exfiltrating data or modifying the codebase.
Ingestion points: The skill fetches GitHub issue titles, bodies, and comments via gh issue view in SKILL.md.
Boundary markers: No delimiters or safety instructions are present to isolate the untrusted issue content from the agent's system instructions.
Capability inventory: The agent has access to file reading/searching, git logs, browser automation via agent-browser, and GitHub CLI write access.
Sanitization: No validation or safety-filtering is performed on the content retrieved from the GitHub API before the agent processes it.

reproduce-bug