The Agent Skills Directory

[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection. It fetches session data from external GitHub Gists and interpolates this untrusted content directly into a prompt sent to a secondary AI model for summarization. An attacker could craft a malicious Gist containing instructions that override the summarization task.\n
Ingestion points: Conversation data is ingested from arbitrary GitHub Gists via the fetchSessionHtml function in fetch-session.mjs.\n
Boundary markers: The prompt template used in the generateHumanSummary function lacks delimiters or explicit instructions for the model to ignore embedded commands within the session transcript.\n
Capability inventory: The skill uses child_process.spawnSync to execute a local AI utility (pi), passing the untrusted data as a command-line argument for processing.\n
Sanitization: No escaping, filtering, or validation is performed on the retrieved session content before it is interpolated into the prompt string.\n- [COMMAND_EXECUTION]: The script fetch-session.mjs invokes the pi command-line tool using spawnSync. While the tool itself is part of the agent's expected environment, the command is constructed with a prompt containing untrusted data fetched from the network, which facilitates the indirect injection vector.\n- [EXTERNAL_DOWNLOADS]: The skill performs network requests to api.github.com and raw.githubusercontent.com to retrieve Gist content. While GitHub is a well-known service, the content itself is user-generated and untrusted as it is retrieved based on arbitrary user-provided IDs or URLs.

pi-share