The Agent Skills Directory

COMMAND_EXECUTION (MEDIUM): The GitClient in src/clients/git.py uses subprocess.run to execute git commands. While it avoids shell injection by using a list of arguments, several methods like get_commit, get_log, and cat_file pass user-provided strings (SHAs, refs, and dates) directly as arguments. This allows for argument injection; an attacker providing a malicious SHA or ref could include flags like --ext-diff or --upload-pack to execute arbitrary code or alter command behavior.
DATA_EXFILTRATION (LOW): The tool is designed to read forensic data from local and remote repositories. However, the GitClient.cat_file and GitHubClient.get_file methods provide capabilities to read arbitrary file contents, which could be abused to exfiltrate sensitive local information if the agent is manipulated by a malicious prompt.
PROMPT_INJECTION (LOW): The skill presents a significant surface for indirect prompt injection (Category 8). Ingestion points: src/collectors/api.py and src/collectors/archive.py fetch natural language content from GitHub, including commit messages, issue bodies, and PR descriptions. Boundary markers: No delimiters or safety instructions are present to prevent the agent from interpreting instructions embedded in this data. Capability inventory: The skill possesses powerful capabilities including local command execution and external network access. Sanitization: No sanitization or validation is performed on ingested strings before they are presented to the agent.
CREDENTIALS_UNSAFE (SAFE): The skill uses environment variables (GOOGLE_APPLICATION_CREDENTIALS) for BigQuery access and contains no hardcoded secrets.

github-evidence-kit