The Agent Skills Directory

[PROMPT_INJECTION]: The skill is highly susceptible to indirect prompt injection through the ingestion of untrusted data from public GitHub issues.
Ingestion points: Issue titles, bodies, and comments are fetched via the GitHub CLI and API (SKILL.md).
Boundary markers: The skill lacks explicit delimiters or instructions to ignore embedded commands when processing untrusted issue content.
Capability inventory: The agent possesses significant capabilities, including shell command execution (bun run test, prek run), filesystem modification, and authenticated GitHub write operations (gh pr create, gh issue comment).
Sanitization: No evidence of input sanitization or validation is present before the untrusted data is used to guide code modification and execution.
[COMMAND_EXECUTION]: The skill performs dynamic execution of code that has been modified based on untrusted input.
During the Quality Gate phase, the modified codebase is executed using tools like bun run test and prek run. This allows for a scenario where a crafted GitHub issue could trick the agent into introducing and then executing malicious code during the testing phase.
[PROMPT_INJECTION]: The skill's instructions mandate autonomous operation and concealment, which are identified as security risks.
It explicitly commands the agent to run the entire workflow "without stopping for user confirmation," bypassing critical human-in-the-loop oversight.
It forbids the use of AI signatures in commits, PRs, or issues ("NEVER add any AI-related signatures"), which obscures the automated nature of the contributions and complicates security auditing and attribution.

fix-issues