The Agent Skills Directory

Indirect Prompt Injection (LOW): The skill is designed to ingest and process untrusted data from external sources (GitHub Issues, PR descriptions, and code) while possessing high-privilege capabilities including shell access and repository modification.
Ingestion points: Functions like searchIssues, getPullRequest, and searchCode (referenced in SKILL.md) allow external, attacker-controlled text into the agent's context.
Boundary markers: The instructions lack explicit delimiters or warnings to the agent to ignore instructions embedded within the data being processed.
Capability inventory: The skill allows use of the Bash tool and file system modification (Write, Edit), which could be abused if the agent obeys instructions found in a malicious GitHub Issue.
Sanitization: There are no instructions provided for sanitizing or escaping the content retrieved from GitHub before processing it.
Metadata Consistency (SAFE): The multi-language description files (description_*.txt) contain inconsistent translations and mixed languages (e.g., German/Russian mixed with Chinese), which appears to be a localization error rather than a deceptive attempt at metadata poisoning.

github-automation