The Agent Skills Directory

[REMOTE_CODE_EXECUTION]: The skill explicitly instructs the user to download a script from a remote URL (https://mise.run) and pipe it directly to a shell (sh) in SKILL.md. This bypasses any review or verification of the code being executed.
[COMMAND_EXECUTION]: The skill performs several high-risk system modifications:
Modifies the user's ~/.zshrc file to inject shell activation commands, which is a persistence mechanism.
Overwrites local Git hooks (.git/hooks/commit-msg, pre-commit, pre-push) with custom shell scripts that execute mise run commands, allowing for arbitrary code execution whenever git operations occur.
Uses kill -9 via lsof to terminate system processes based on port numbers, which can be dangerous if used improperly.
Executes various tools (uv run, bunx, flutter pub run) that can download and run code at runtime.
[EXTERNAL_DOWNLOADS]: In addition to the primary installer script, the skill uses bunx to dynamically fetch and execute packages like @commitlint/cli and orval without pinned versioning, and downloads Flutter dependencies via flutter pub run.
[PROMPT_INJECTION]: The skill exhibits an indirect prompt injection vulnerability surface:
Ingestion points: The skill reads git commit messages and branch names in resources/validation-pipeline.md via git log and $1 arguments in git hooks.
Boundary markers: None. Untrusted commit message content is passed directly into shell commands.
Capability inventory: Extensive capabilities including file writing (git hooks), shell execution (mise run, bunx), and network operations (via tasks).
Sanitization: Absent. Commit messages are passed as raw arguments to shell scripts (e.g., exec mise run git:commit-msg -- "$1").

oma-dev-workflow