The Agent Skills Directory

[PROMPT_INJECTION]: The skill incorporates user input from the $ARGUMENTS variable directly into its operational logic. This creates a potential for direct prompt injection if a user provides malicious arguments designed to subvert the agent's instructions, particularly when using the --autopilot mode which skips manual confirmation steps.
[PROMPT_INJECTION]: The skill possesses a significant attack surface for indirect prompt injection due to its processing of external, untrusted data.
Ingestion points: The orchestrator and its sub-agents ingest data from the local repository's source code, project documentation, and CI/CD failure logs during the automated 'fix-build' phase.
Boundary markers: The skill employs a structured, phased workflow and provides specific mandates for each agent role (e.g., 'describe problems, not solutions') to limit the impact of untrusted data, though it does not specify explicit sanitization or delimiters for the ingested content.
Capability inventory: The orchestrator has the capability to execute shell commands (git, gh), modify local files, and spawn sub-agents that can write code and push changes to remote repositories.
Sanitization: No explicit sanitization or validation of the ingested code or log data is described before it is used by the agent for decision-making.
[COMMAND_EXECUTION]: The skill frequently executes shell commands using git and the GitHub CLI (gh) to automate software delivery tasks. These include committing changes, pushing branches, and merging pull requests, which are executed autonomously based on the state of the orchestration plan.
[DATA_EXFILTRATION]: The skill is designed to transmit local code to remote servers via git push and GitHub pull request creation. While this is the intended purpose of the tool, it represents a path for data to leave the local environment that could be exploited if the agent's logic is compromised.

paseo-epic