The Agent Skills Directory

[COMMAND_EXECUTION]: The skill uses shell utilities including find, rg, and test to identify the project structure, locate configuration files (such as package.json or pyproject.toml), and list existing GitHub Actions workflows for analysis.
[EXTERNAL_DOWNLOADS]: The skill fetches the latest release versions for various standard actions from trusted repositories on GitHub, including those managed by GitHub (actions/), Docker (docker/), and Google (google-github-actions/*). These references are used solely for version verification and compliance reporting.
[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection as it ingests untrusted data from existing workflow files in the repository.
Ingestion points: The agent reads the contents of YAML and Markdown files from the .github/workflows/ directory during the compliance analysis phase.
Boundary markers: No specific delimiters or "ignore instructions" markers are implemented when interpolating existing workflow content into the agent's context.
Capability inventory: The agent has access to Write, Edit, and WebFetch tools, providing a pathway for actions based on ingested content.
Sanitization: The instructions do not specify any sanitization or validation logic for the content read from repository files before it is processed.

configure-workflows