The Agent Skills Directory

[COMMAND_EXECUTION]: The skill instructions describe constructing shell commands using untrusted data parsed from external sources. Specifically, the pattern gh project item-create ... --title \"<タイトル>\" and --body \"<本文>\" allows for command injection. An attacker could craft a task title containing shell metacharacters (e.g., \" && malicious_command #) to execute arbitrary code when the agent attempts to create the project item.\n- [COMMAND_EXECUTION]: The documentation explicitly suggests the use of GIT_SSL_NO_VERIFY=1 when running in sandbox environments. This practice disables TLS certificate validation, making the agent's network requests vulnerable to Man-in-the-Middle (MitM) attacks.\n- [EXTERNAL_DOWNLOADS]: The skill can fetch content from arbitrary URLs provided by the user to extract project items. While intended for GitHub sources, there is no validation or domain whitelisting, which could be abused to fetch malicious content or trigger server-side requests.\n- [PROMPT_INJECTION]: The skill ingests untrusted data from files and URLs and uses it to drive subsequent agent actions. The lack of explicit boundary markers or instructions to ignore embedded commands in the processed data creates a surface for indirect prompt injection. The skill ingests data via file paths and URLs (SKILL.md), lacks boundary markers, has the capability to execute shell commands via the gh CLI, and contains no sanitization logic for external content.

project-add-items