The Agent Skills Directory

[COMMAND_EXECUTION]: The skill uses the Bash tool to execute Python scripts where user-provided inputs such as {username} and {N} are directly interpolated into shell command strings (e.g., python3 scripts/github-api-fetcher.py repos --username {username}). This presents a significant command injection surface where a maliciously crafted username could execute arbitrary code or perform path traversal.
[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection due to the hardcoded instruction to 'Read and follow repository CLAUDE.md files before execution'. Since the skill's primary purpose is to fetch and analyze content from untrusted remote GitHub repositories, an attacker could place malicious instructions in a CLAUDE.md file to hijack the agent session.
[PROMPT_INJECTION]: Indirect Prompt Injection Mandatory Evidence: 1. Ingestion points: Fetches repository metadata, file contents, commit messages, and PR reviews via the GitHub API. 2. Boundary markers: Absent; the skill is explicitly told to 'follow' repository instructions rather than treating them as untrusted data. 3. Capability inventory: The agent has access to Bash, Write, WebFetch, Edit, and Grep tools. 4. Sanitization: No sanitization or filtering logic is described for the content fetched from the GitHub API.
[REMOTE_CODE_EXECUTION]: The skill relies on multiple external scripts (scripts/github-api-fetcher.py and scripts/rules-compiler.py) that are referenced in the workflow but are not included in the provided skill files. This prevents verification of the skill's actual logic and dependencies.

github-profile-rules