The Agent Skills Directory

[REMOTE_CODE_EXECUTION] (MEDIUM): The skill downloads external templates via git clone and writes them directly into the .github/workflows/ directory. Because files in this directory are automatically executed by GitHub's Actions runner, this constitutes a supply chain risk if the remote template repositories are compromised or point to malicious forks. This risk is inherent to the skill's primary purpose.
[COMMAND_EXECUTION] (MEDIUM): The skill makes extensive use of the Bash tool to perform system-level operations, including git clone, mkdir, cp, and rm -rf. These commands are used to manage the local environment and fetch external resources.
[EXTERNAL_DOWNLOADS] (MEDIUM): The skill performs network operations to fetch content from GitHub repositories specified in an external template-catalog.md file (not provided in the source). The lack of integrity checks or pinned versions for these external dependencies increases the attack surface.
[PROMPT_INJECTION] (LOW): The skill is vulnerable to indirect prompt injection. It reads metadata from local project files (e.g., package.json, pyproject.toml) and interpolates this untrusted data into generated templates (like README.md or workflows) without explicit sanitization. Ingestion points: Phase 1 project scanning (phases/01-detection.md). Boundary markers: Absent during interpolation. Capability inventory: High-privilege access via Write and Bash tools. Sanitization: No evidence of validation or escaping for extracted metadata strings.

gh-bootstrap