The Agent Skills Directory

PROMPT_INJECTION (HIGH): The skill is vulnerable to Indirect Prompt Injection (IPI) via untrusted external data. * Ingestion points: Fetching failed step logs (gh run view --log-failed) and downloading debug artifacts (gh run download). * Boundary markers: Absent. There are no delimiters or instructions for the agent to ignore embedded instructions within the fetched logs. * Capability inventory: The agent has access to the Bash tool for reproduction and is instructed to make code changes to fix the issue. * Sanitization: Only simple truncation (head -500) is performed, which does not prevent malicious instruction processing.
COMMAND_EXECUTION (LOW): The skill uses local development tools (pytest, go test, npm, etc.) to reproduce failures. While these are standard tools, the specific commands are dynamically constructed based on the CI job name, which could be manipulated.
EXTERNAL_DOWNLOADS (LOW): Uses gh CLI and brew for tool management and downloads artifacts to /tmp/ci-debug/. Interactions with GitHub are considered trusted sources, but the artifact content itself remains untrusted and a vector for IPI.

fix-ci