The Agent Skills Directory

[COMMAND_EXECUTION]: The skill executes gh and git commands to manage GitHub issues, branches, and PRs. These operations are directed at the developer's specific repository (parhumm/jaan-to).
[PROMPT_INJECTION]: The skill fetches content from external GitHub issues (gh issue view), which introduces a surface for indirect prompt injection. A malicious issue could attempt to influence the automated planning phase.
Ingestion points: External data enters the workflow via GitHub issue bodies and comments in SKILL.md.
Boundary markers: Content is summarized and parsed, but no explicit technical delimiters are used to isolate untrusted data within the prompt context.
Capability inventory: The agent has permissions to edit/write files and execute shell commands, which could be exploited if an injection is successful.
Sanitization: The risk is effectively managed through a dedicated 'Security Review' step (Step 1.7) that evaluates plans for injection and privilege escalation, a security validation script (Step 5.5), and mandatory user approval 'Hard Stops' before any implementation or merging takes place.

jaan-issue-review