The Agent Skills Directory

[Indirect Prompt Injection] (HIGH): The skill is highly vulnerable to indirect prompt injection because it ingests untrusted data and possesses significant side-effect capabilities.
Ingestion points: The skill reads the output of git status and git diff to analyze code changes (SKILL.md, Step 2 and 3).
Boundary markers: Absent. There are no instructions or delimiters defined to prevent the agent from obeying instructions embedded within the code diffs it is summarizing.
Capability inventory: The skill executes git add, git commit (command execution), and git push (network/exfiltration) (SKILL.md, Step 5 and 6).
Sanitization: While the skill checks for sensitive file names (like .env), it does not sanitize the content of the diffs. A malicious payload inside a source file could trick the agent into generating a malicious commit message or altering its execution flow.
[Command Execution] (MEDIUM): The skill executes arbitrary Git commands through the shell. Specifically, it uses a HEREDOC pattern in Step 5 to pass LLM-generated strings directly into a git commit command. If the LLM is successfully injected via the diff content, it could be coerced into breaking out of the HEREDOC or manipulating the shell command parameters.
[Data Exfiltration] (LOW): The skill facilitates the movement of local data to remote servers via git push. Although this is the stated purpose, in a compromised state, this mechanism could be used to push sensitive data to an attacker-controlled repository if the agent is convinced to change the push target or include sensitive files in the commit.

commit-push