The Agent Skills Directory

[COMMAND_EXECUTION]: The shell command sequence defined in SKILL.md for identifying the parent branch is vulnerable to command injection. It uses shell substitution $(...) to fetch the current branch name and injects it directly into a grep command within a pipeline. A maliciously named branch (e.g., containing semicolons or backticks) could result in arbitrary command execution when the agent runs this workflow.
[DATA_EXFILTRATION]: The scripts/copy-to-clipboard.mjs script reads a file path from command-line arguments and copies the file's entire content to the system clipboard. This functionality can be exploited to read sensitive files if the file path argument is manipulated, and the content is subsequently exposed to any application on the system with clipboard access.
[PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it processes untrusted content from the repository's git history and branch names.
Ingestion points: Commit messages retrieved via git log, file diffs from git diff, and branch names are ingested into the LLM prompt to generate descriptions.
Boundary markers: The skill instructions do not specify any delimiters or special markers to separate the untrusted git data from the agent's core instructions.
Capability inventory: The skill has the capability to execute shell commands (git operations), read and write files in the project root, and interact with the system clipboard.
Sanitization: There is no evidence of sanitization or validation logic to detect or escape malicious instructions that an attacker might embed within commit messages or branch names.

generate-pr-description