The Agent Skills Directory

[COMMAND_EXECUTION]: The instruction 'run pr-body.md' in SKILL.md directs the agent to execute a file containing AI-generated PR descriptions. This is highly unsafe as it can lead to arbitrary command execution if the description contains shell syntax or if the shell environment attempts to interpret the markdown content as code.\n- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection. It ingests untrusted data (source code deltas) to generate a PR description and then executes that description. An attacker could place malicious instructions in comments within the code which the AI then includes in the PR body, leading to execution during the 'run pr-body.md' step.\n
Ingestion points: Source code diffs used for PR body generation (SKILL.md).\n
Boundary markers: Absent.\n
Capability inventory: Shell execution (run), git operations, gh CLI operations, dependency installation.\n
Sanitization: Absent.\n- [EXTERNAL_DOWNLOADS]: The workflow specifies that if checks fail, the agent should 'install dependencies and rerun once'. This allows the agent to download and install arbitrary packages from external registries without explicit user oversight of the package names or versions.\n- [DATA_EXFILTRATION]: The skill uses git push and gh pr create to transmit local code to remote GitHub repositories. It specifically sets GH_PROMPT_DISABLED=1 and GIT_TERMINAL_PROMPT=0 to suppress user interaction, which reduces transparency and could facilitate the silent exfiltration of sensitive information if the destination branch or PR content is maliciously influenced.

yeet