The Agent Skills Directory

[PROMPT_INJECTION]: The script scripts/implement_issue.py is vulnerable to indirect prompt injection because it fetches GitHub issue titles and bodies and interpolates them directly into a prompt template for the AI agent.
Ingestion points: The skill reads external, potentially attacker-controlled content from GitHub issues via the scripts/fetch_issue.py and scripts/implement_issue.py scripts.
Boundary markers: The generated prompts use standard Markdown headers but lack robust delimiters or instructions to ignore instructions embedded within the fetched issue content.
Capability inventory: The skill possesses extensive capabilities, including system command execution via subprocess.run for tools like gh, git, pnpm, and turbo, enabling it to modify the codebase and interact with remote repositories.
Sanitization: The skill performs minimal sanitization; while it uses a slugify function for branch names, it does not escape or sanitize the issue content incorporated into AI prompts.
Mitigation: The skill design includes a critical 'User Approval Gate' (documented in Phase 4 of the SKILL.md), which requires a human to review the generated implementation plan before the AI agent proceeds with code changes.
[COMMAND_EXECUTION]: The skill makes heavy use of subprocess.run to execute external CLI tools such as the GitHub CLI (gh), git, pnpm, and turbo. While this is necessary for the skill's primary automation purpose, it represents a significant capability surface that requires the agent to operate in a high-trust environment.

github-project-automation