The Agent Skills Directory

[COMMAND_EXECUTION]: The execution logic defined in the SKILL.md and the Command Validator Agent prompt instructs the AI to perform a 'dry-run where safe' for commands (e.g., task, kubectl, git) extracted from documentation. Because documentation is untrusted input that can be modified by contributors, an attacker could embed malicious commands that might be executed if the agent's safety evaluation for the dry-run is insufficient.
[PROMPT_INJECTION]: The skill is susceptible to Indirect Prompt Injection (Category 8) as it ingests content from repository documentation to drive its validation logic.
Ingestion points: Documentation files such as CLAUDE.md and SKILL.md, which are identified and processed by the provided shell scripts.
Boundary markers: The prompts for the Haiku and Opus agents lack explicit delimiters or instructions to treat documentation content as untrusted data, which could allow instructions hidden within the docs to override the agent's primary validation task.
Capability inventory: The skill has access to the local filesystem, git history, and is explicitly authorized to validate and dry-run command syntax.
Sanitization: The scripts/extract-references.sh script extracts references using regular expressions but does not perform any sanitization or validation to ensure the extracted text is safe for processing by an LLM.

sync-claude