The Agent Skills Directory

[INDIRECT_PROMPT_INJECTION]: The skill processes untrusted metadata from GitHub repositories (labels, project field names, and item values) which acts as an ingestion point for indirect prompt injection. 1. Ingestion points: Data is retrieved using 'gh label list', 'mcp__github__projects_list', and 'gh issue list' (SKILL.md). 2. Boundary markers: The workflow instructions lack explicit markers or delimiters to separate untrusted external data from the agent's logic. 3. Capability inventory: The skill performs high-privilege write operations including 'gh api -X POST' for field updates and 'gh api -X DELETE' for label removal (SKILL.md). 4. Sanitization: There is no instruction to sanitize or validate retrieved content against injection before it is used to influence agent decisions or script content.
[DYNAMIC_EXECUTION]: The skill instructs the agent to dynamically generate and potentially execute shell scripts for large-scale migrations. 1. Pattern: The logic recommends creating a 'standalone shell script' when handling 100+ issues (SKILL.md). 2. Risk: The generation of executable scripts using externally sourced, potentially attacker-controlled strings (such as label names or field values) introduces a risk of command injection if those strings contain shell-sensitive characters.

issue-fields-migration