The Agent Skills Directory

[Indirect Prompt Injection] (HIGH): The skill facilitates reading untrusted external data (issue comments, PR descriptions) which can contain malicious instructions. Combined with the agent's ability to merge code, delete resources, or post comments, this creates a significant attack surface.
Ingestion points: gh issue view, gh pr view, gh api, and various search commands in SKILL.md.
Boundary markers: None provided in the instructions to separate untrusted data from system instructions.
Capability inventory: gh pr merge, gh repo create, gh issue comment, gh gist create, and gh workflow run provide significant side-effect capabilities.
Sanitization: None present; the agent is expected to process raw output from the GitHub API.
[Data Exfiltration] (MEDIUM): Commands like gh gist create and gh release create allow the agent to upload local files or sensitive data to external GitHub endpoints, which could be used to exfiltrate secrets or source code.
[External Downloads] (MEDIUM): Commands such as gh repo clone and gh release download enable the fetching of arbitrary remote code or binaries into the local execution environment.
[Persistence Mechanisms] (LOW): The skill includes documentation for using tmux to run background processes (gh run watch), which could be leveraged to maintain long-running unauthorized activity across sessions.

gh