The Agent Skills Directory

[COMMAND_EXECUTION]: The skill constructs shell commands using variables such as {N}, {owner}, {repo}, and {path} within Phase 1, Phase 2, and Phase 5. These variables are derived from user arguments and external repository metadata, creating a risk of command injection if the inputs contain shell metacharacters.
[PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it ingests and processes untrusted data (GitHub issue and discussion bodies) during Phase 2. This could allow an attacker to embed malicious instructions that influence the agent's context analysis, codebase search, or response composition.
Ingestion points: Phase 1 and 2 read issue/discussion content from the target GitHub repository.
Boundary markers: None identified; untrusted content is processed without clear delimiters or instructions to ignore embedded commands.
Capability inventory: Uses Bash (ls, grep), gh api (read/write), and WebFetch (Phase 0 discovery).
Sanitization: No explicit sanitization or validation of the ingested GitHub content is documented.
[SAFE]: The skill explicitly mandates a human-in-the-loop workflow with the rule "Always require user approval before publishing any response," which significantly mitigates the risk of automated malicious actions.

ln-914-community-responder