The Agent Skills Directory

[INDIRECT_PROMPT_INJECTION]: The skill processes and displays external data (issue descriptions, merge request titles/bodies) fetched from GitLab. This content is considered untrusted as it can be controlled by any user with access to the repository.
Ingestion points: The scripts/gitlab.py script fetches data using glab and renders it via format_issue_summary and format_mr_summary functions.
Boundary markers: No explicit delimiters or instructions are used to prevent the agent from obeying commands embedded within the fetched GitLab content.
Capability inventory: The agent has the capability to execute glab commands, including creating issues, merging code, and triggering CI/CD pipelines.
Sanitization: The script performs minimal formatting (stripping whitespace) but does not sanitize or escape the content to prevent it from being interpreted as instructions by the model.
[DATA_EXFILTRATION]: In the references/common-workflows.md file, there is an example workflow that uses curl to send CI failure notifications to a Slack webhook (https://hooks.slack.com/services/YOUR/WEBHOOK/URL). While this is a common automation pattern, it demonstrates a network exfiltration path for data derived from the GitLab environment.
[COMMAND_EXECUTION]: The core functionality of the skill relies on executing the glab CLI through the subprocess.run method in scripts/gitlab.py. While the arguments are passed as a list to mitigate shell injection, the skill essentially provides the agent with full access to the local glab installation's capabilities.

gitlab