The Agent Skills Directory

[Prompt Injection] (LOW): The skill is susceptible to indirect prompt injection. It ingests untrusted data from Gitea (PR reviews, descriptions, and comments) and processes them to 'intelligently' determine implementation steps or apply fixes (e.g., in apply-recommendations.md). An attacker could provide a malicious code review that the agent interprets as a directive. • Ingestion points: scripts/gitea-pr-checks.sh and references/commands/apply-recommendations.md. • Boundary markers: Absent. • Capability inventory: Network access via curl, local command execution via npm, git, and tea. • Sanitization: JSON structure is validated via jq, but no sanitization of natural language instructions in content is present.
[Command Execution] (LOW): The skill frequently executes system commands including git, npm, and the tea CLI to manage worktrees, run tests, and interact with the Gitea instance. This behavior is expected for a development tool but represents a capability tier that could be exploited if the agent's prompts are subverted.
[External Downloads] (LOW): The shell scripts gitea-ci-status.sh and gitea-pr-checks.sh utilize curl to fetch data from a user-configured GITEA_URL. While targeted at the Gitea API, this involves external network communication with potentially untrusted payloads from the repository's PR metadata.

gitea-workflow