The Agent Skills Directory

[COMMAND_EXECUTION] (SAFE): The skill uses Bash in Step 0 to compute repository-specific paths. These commands (basename, git, hash-object, date) are used for local environment setup and do not involve untrusted inputs or remote execution.- [DATA_EXFILTRATION] (SAFE): Although the skill processes sensitive data (security findings and secrets discovered by other scans), it writes the resulting report only to the local filesystem (~/.ghost/repos/). There are no network requests (curl, wget, or fetch) that would allow for data exfiltration.- [PROMPT_INJECTION] (LOW): The skill is vulnerable to Indirect Prompt Injection (Category 8) because it ingests and inlines markdown content from external finding files into a final report without sanitization. An attacker who can influence the output of the prerequisite scan tools could potentially inject instructions into the final aggregated report. Ingestion points: Finding files located in <scans_dir>//findings/*.md. Boundary markers: Absent; the skill reads and inlines the complete markdown body of each finding. Capability inventory: File write permissions for report.md and Bash execution for path setup. Sanitization: None; content is inlined directly from source finding files.

ghost-report