The Agent Skills Directory

[COMMAND_EXECUTION]: The script scripts/clone_repo.sh executes the git clone command using the user-supplied --repo-url and --ref parameters to pull repository data into a temporary directory.
[EXTERNAL_DOWNLOADS]: The skill is designed to download content from arbitrary Git repositories. While it restricts activity to the Git protocol, it fetches untrusted data from remote sources into the local environment.
[PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it ingests untrusted content from external repositories and includes it in output artifacts intended for other AI agents.
Ingestion points: scripts/build_context_bundle.py reads and processes the contents of all text files within the cloned repository.
Boundary markers: The skill utilizes citation markers such as [cite: <chunk_id> <path>:<lines>] in its summary.md output. However, these markers do not prevent a downstream LLM from interpreting and obeying instructions embedded within the cited text.
Capability inventory: Although this skill specifically avoids executing repository code (as stated in SKILL.md), its primary purpose is to prepare context for other skills or agent workflows, making it a vector for cross-skill injection.
Sanitization: The sanitize_summary_text function in scripts/build_context_bundle.py provides basic redaction for secrets (e.g., API keys, passwords) but does not validate or sanitize the content for malicious instructions, hidden commands, or jailbreak attempts.

sharingan