The Agent Skills Directory

[COMMAND_EXECUTION]: The SKILL.md orchestrator contains a shell command for gh pr create that passes the <title> argument inside double quotes. This allows for shell command substitution (e.g., $(...)) if the PR title, which is derived from untrusted project data or user input, contains malicious shell sequences.- [COMMAND_EXECUTION]: The test-runner-agent.md is designed to detect and execute test commands from project files such as package.json and CLAUDE.md. While a standard practice for development tools, this allows for the execution of arbitrary scripts defined within the repository without safety validation.- [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface as it processes untrusted data from git diff, git log, and task files to generate commit messages and PR documentation. * Ingestion points: Untrusted data enters the context through git diff outputs, commit histories, and local files like .agents/tasks.md or .agents/spec.md. * Boundary markers: The skill lacks explicit boundary markers or instructions to the agents to ignore embedded instructions within the processed data. * Capability inventory: The skill possesses Bash execution capabilities for git and GitHub CLI operations, as well as running detected test scripts. * Sanitization: There is no evidence of sanitization or escaping of the processed data before it is interpolated into shell commands or generated reports.

ship