The Agent Skills Directory

[PROMPT_INJECTION]: The skill is inherently vulnerable to indirect prompt injection due to its core function of processing untrusted external data.
Ingestion points: It ingests data from public GitHub repositories (via fetch_content), web search results (via web_search), and community-contributed issues and PRs (via gh CLI).
Boundary markers: No explicit boundary markers or instructions are provided to help the agent distinguish between its system instructions and potential instructions embedded in the external code or documents it analyzes.
Capability inventory: The skill utilizes bash for searching and inspecting files, read for viewing file content, and gh for interacting with the GitHub API.
Sanitization: The skill does not implement sanitization or validation of external content before it is processed by the LLM or used to formulate subsequent tool calls.
[COMMAND_EXECUTION]: The skill relies on the bash tool to perform repository-level searches and git operations (e.g., grep, find, git blame). While these are standard research tools, the use of a general-purpose shell for processing untrusted repository data presents an exploitable surface if the agent is misled by malicious content within those repositories.

librarian