The Agent Skills Directory

EXTERNAL_DOWNLOADS (HIGH): An automated scanner (URLite) identified a blacklisted malicious URL in the REQUIREMENTS.md file. The presence of known-malicious URLs within skill distribution files is a severe indicator of potential malicious intent or supply chain compromise.
REMOTE_CODE_EXECUTION (MEDIUM): The references/tdd.md file contains instructions for the AI agent to install and run third-party testing frameworks (e.g., jest, pytest) using standard package managers. This capability, while common in development, introduces a vector for remote code execution if the agent is directed to install malicious or untrusted packages.
COMMAND_EXECUTION (MEDIUM): The skill utilizes several complex bash scripts (e.g., create-draft-pr.sh, manage-worktree.sh) that interact with the Git and GitHub CLI. These scripts extract data from markdown files like ROADMAP.md and *-PLAN.md using grep and sed, and use this data to construct Pull Request titles and bodies. The use of unquoted heredocs and interpreting backslash escapes (e.g., printf '%b') with unvalidated content from the file system creates an injection surface.
INDIRECT PROMPT INJECTION (LOW): The skill processes untrusted data from project planning files to automate GitHub Pull Request creation, which is a classic surface for indirect prompt injection.
Ingestion points: .planning/ROADMAP.md and *-PLAN.md files read by scripts/create-draft-pr.sh and scripts/update-issue-checkboxes.sh.
Boundary markers: No markers or delimiters are present to isolate the external content from the shell script logic or the generated PR templates.
Capability inventory: Repository manipulation via git and GitHub CLI (gh pr create, gh issue edit).
Sanitization: Sanitization is absent; the scripts rely on simple text extraction patterns that do not account for maliciously crafted metadata or content expansion attempts.

kata-execute-phase