The Agent Skills Directory

[Indirect Prompt Injection] (HIGH): The skill demonstrates a high-risk indirect prompt injection surface. Ingestion points: The skill reads file content from the local skills/ directory using cat commands. Boundary markers: There are no boundary markers or instructions to ignore embedded commands within the files being processed. Capability inventory: The skill uses git push and gh pr create, which are write operations with external network impact. Sanitization: No sanitization or validation is performed on the file content before it is interpolated into PR bodies or commit messages. An attacker-controlled skill file could contain instructions that manipulate the agent's behavior during the contribution process.
[Unverifiable Dependencies & Remote Code Execution] (MEDIUM): The skill generates and executes shell commands for git and gh using variable interpolation (${skill_name}). While these are standard tools, the construction of commands from local variables and file content without escaping poses a command injection risk if the environment is configured to interpret shell-sensitive characters.
[Data Exposure & Exfiltration] (LOW): The workflow is designed to push local repository content to an external source (origin or upstream-org/upstream-repo). While this is the intended purpose, it presents a risk of unintentional data exposure if sensitive files are located in the target directory, especially since the process is automated via the agent.

sharing-skills