The Agent Skills Directory

[Indirect Prompt Injection] (HIGH): The skill carries a high risk of indirect injection because it processes untrusted data from a repository and uses it in security-sensitive operations.
Ingestion points: Data enters via gh api (rulesets, PR lists) and gh workflow view (YAML contents) as seen throughout SKILL.md.
Boundary markers: There are no boundary markers or explicit instructions to ignore instructions embedded in the analyzed repository content.
Capability inventory: The skill possesses write-level capabilities including gh workflow disable and git push origin --delete (Sections 6, 7, and 10).
Sanitization: The skill does not sanitize or escape data before it is interpreted by the agent or interpolated into shell commands.
[Command Execution] (HIGH): Several remediation steps in SKILL.md (specifically Section 10) direct the agent to execute commands like git push origin --delete "<branch>". If a branch name is maliciously crafted with shell metacharacters (e.g., "; rm -rf /; #), it could lead to arbitrary command execution on the runner.
[Data Exposure] (INFO): The skill accesses repository configuration and Actions workflow metadata. While this is required for the audit, it confirms that the skill has access to potentially sensitive repository structure and policy information.

github-branch-policy