The Agent Skills Directory

Indirect Prompt Injection (LOW): The skill is designed to fetch and process discussion threads from GitLab, which are attacker-controllable inputs.
Ingestion points: SKILL.md (Workflow 2, 3, 5) uses glab api to retrieve discussion bodies and metadata.
Boundary markers: Absent; there are no instructions to the agent to treat the fetched comment data as untrusted or to ignore embedded instructions.
Capability inventory: The skill allows Bash execution and glab api write operations (POST, PUT, DELETE), providing a significant action surface if an agent is manipulated by fetched content.
Sanitization: Absent; the skill relies on jq for parsing but does not sanitize the content of the body field before the agent processes it.
Command Execution (LOW): Several Bash examples in the documentation (e.g., Workflow 1 and 2) use unquoted variables such as $project_id and $discussion_id. While these are expected to be numeric or system-generated IDs, if an agent provides unsanitized user input containing shell metacharacters, it could lead to command injection within the local shell environment.

gitlab-discussion