The Agent Skills Directory

[Indirect Prompt Injection] (HIGH): The skill enables the agent to process untrusted external data (Git repositories) and grants capabilities that can be exploited via data-driven instructions.
Ingestion points: External repository content including source code, commit history, and branch metadata processed in nearly all workflow files.
Boundary markers: Absent. The workflows do not specify delimiters or instructions to isolate or ignore instructions embedded in repository data.
Capability inventory: Full Git suite including git commit, git push (write/exfiltration), and arbitrary shell execution via git bisect run (execution).
Sanitization: Absent. Although the skill provides instructions for manual security scans, it lacks automated sanitization of external input before it influences agent reasoning or command execution.
[Remote Code Execution] (MEDIUM): The git bisect run functionality (referenced in SKILL.md and workflows/Log.md) allows for the automated execution of local scripts (./test.sh) or package-defined tests (npm test). If used on an untrusted repository, this facilitates arbitrary code execution.
[Unverifiable Dependencies] (MEDIUM): Several internal assets and scripts mentioned in the documentation are missing from the skill package, including scripts/git-clean-branches.sh, assets/git-workflow-checklist.md, and assets/git-aliases.md. These components cannot be verified for safety.
[Command Execution] (LOW): The skill extensively uses standard command-line tools (git, gh). The operations are standard for development workflows, but their combination with external data increases the overall risk profile.
[External Downloads] (LOW): The skill suggests installing external tools like the GitHub CLI (gh), gitleaks, and trufflehog. These are sourced from trusted package managers (brew, apt, pip), which downgrades the severity per [TRUST-SCOPE-RULE].

git-advanced-workflows