The Agent Skills Directory

[COMMAND_EXECUTION]: The use of git diff --name-only | xargs file in SKILL.md is a vulnerable shell pattern. Because xargs is used without the -0 flag, it incorrectly parses filenames containing spaces or shell metacharacters. In certain environments, this could be exploited by a repository containing specially crafted filenames to execute unintended arguments or commands.\n- [DATA_EXFILTRATION]: The skill instructs the agent to execute git add -A and subsequently export a diff to /mnt/user-data/outputs/. This workflow blindly incorporates all files in the working directory into the patch file. If the environment contains sensitive information such as .env files, SSH keys, or cloud credentials, these will be captured in the patch and made available for download, leading to accidental data exposure.\n- [PROMPT_INJECTION]: The skill operates on arbitrary codebase content, which presents a surface for indirect prompt injection attacks.\n
Ingestion points: Reads file content through git diff and direct filesystem access in SKILL.md.\n
Boundary markers: The prompt lacks delimiters or specific instructions to the agent to ignore any potential AI commands embedded within the code being processed.\n
Capability inventory: The skill enables the agent to execute shell commands and write files to an output directory.\n
Sanitization: There is no sanitization of the content before it is used to generate summaries or pull request descriptions.

generating-patches