The Agent Skills Directory

[PROMPT_INJECTION]: The skill exhibits a significant surface for indirect prompt injection across several sub-skills (plan.md, review.md, and work.md). These sub-skills are designed to read and process external content from GitHub, including issue bodies, pull request comments, and code diffs. An attacker could embed malicious instructions within these fields to influence the agent's behavior, potentially leading to unauthorized repository modifications or the execution of unintended tasks by the agent.
[COMMAND_EXECUTION]: The sub-skills and scripts frequently perform shell command interpolation using data retrieved from GitHub (e.g., issue titles and bodies). For instance, in sub-skills/plan.md, the agent is instructed to use gh issue edit with a body that includes ${EXISTING_BODY}. If the existing issue body contains shell-active sequences such as backticks or dollar-parentheses, they could be evaluated by the shell during the command execution, leading to command injection.
[COMMAND_EXECUTION]: The orchestrate.md sub-skill uses the Task tool to dynamically generate and launch subagents for task implementation. The prompts for these subagents are derived from GitHub issue content. This pattern creates a risk where malicious input from an external source (the issue body) can programmatically define the instructions for a secondary AI agent, increasing the complexity of monitoring and controlling the agent's actions.

gh-tasks