The Agent Skills Directory

[PROMPT_INJECTION] (MEDIUM): The skill is highly susceptible to Indirect Prompt Injection (Category 8). It ingests untrusted data from external sources (GitHub PR titles, Alibaba Cloud task descriptions) and local sources (git commit messages) and presents them to the agent for summarization.
Ingestion points: scripts/github.sh (via gh search), scripts/stats.sh (via git log), and Yunxiao MCP tools.
Boundary markers: Absent. The skill lacks explicit delimiters or instructions for the agent to ignore instructions embedded within the retrieved work data.
Capability inventory: The skill has command execution capabilities (bash, git, gh) and subagent invocation.
Sanitization: Only basic JSON escaping is performed in scripts to prevent syntax errors; no semantic sanitization is applied to prevent malicious instructions in commits/tasks from influencing the agent's behavior.
[COMMAND_EXECUTION] (MEDIUM): The skill relies on executing local bash scripts (scripts/stats.sh and scripts/github.sh) with parameters interpolated by the agent ({since}, {until}, {author}).
If the agent fails to properly sanitize these inputs (e.g., date ranges containing shell metacharacters), it could lead to command injection during the script invocation phase.
The skill instructions encourage the agent to guide users through software installation (brew install), which is a legitimate but high-privilege activity.
[DATA_EXFILTRATION] (LOW): The skill performs broad scanning of the user's home directory ($HOME/code/* and $HOME/code/*/repos/*). While it specifically targets git metadata, this wide-reaching file system access could expose sensitive project structures or committed secrets to the agent's context.
[REMOTE_CODE_EXECUTION] (LOW): The skill uses mktemp and creates temporary files, which is standard practice but increases the footprint of the local execution.

worklog