The Agent Skills Directory

[PROMPT_INJECTION]: The skill instructions mandate high autonomy by telling the agent to 'Ask only when the irreversible target is genuinely ambiguous' and to 'keep questions to the minimum'. This specifically targets the human-in-the-loop constraint, potentially leading the agent to execute dangerous production-level actions without explicit user approval.
[COMMAND_EXECUTION]: The skill directs the agent to 'Execute the repo-native finish steps in order' and 'Identify the actual landing path' (e.g., merge, deploy, publish). This involves executing commands and scripts defined in external repository configurations which are not validated by the skill, effectively creating a command execution surface if the repository content is malicious.
[DATA_EXFILTRATION]: The instructions require the agent to 'Inspect the current state', including 'release or deploy config' and 'task context'. This creates a data exposure risk where the agent may access and potentially leak sensitive environment configuration or deployment metadata during its automated 'closeout flow'.
[PROMPT_INJECTION]: The skill is vulnerable to Indirect Prompt Injection as it processes untrusted repository data to determine its execution logic. 1. Ingestion points: Repository status, active branch, pending diffs, CI/test signals, and deployment configurations (SKILL.md). 2. Boundary markers: Absent; no delimiters or 'ignore' instructions are provided for external content. 3. Capability inventory: Branch pushing, PR merging, production deployment, and release publishing (SKILL.md). 4. Sanitization: Absent; no validation or escaping of repository-derived content is performed.

git-it-out