The Agent Skills Directory

[Indirect Prompt Injection] (LOW): The skill processes untrusted data from GitHub issue descriptions and comments to drive its investigation logic.
Ingestion points: The agent reads content from $ARGUMENTS (GitHub issue number) and specifically looks at "issue description and comments".
Boundary markers: Absent. There are no delimiters or instructions to ignore embedded commands within the issue text.
Capability inventory: The agent can execute commands via rails-console-explorer, navigate a browser via Playwright, and write comments back to GitHub.
Sanitization: Absent. The skill directly passes the issue_description to sub-tasks.
[Command Execution] (MEDIUM): The skill utilizes a rails-console-explorer agent, which provides a high-privilege interface for executing arbitrary Ruby code within the application environment.
Evidence: Task rails-console-explorer(issue_description) in SKILL.md.
Risk: If the issue_description contains malicious instructions (see Indirect Prompt Injection), the agent might be tricked into executing destructive Ruby commands or modifying the database.
[Data Exfiltration] (LOW): The skill is designed to collect internal system information and screenshots, then post them to an external platform (GitHub).
Evidence: Phase 4: Report Back specifies adding a comment to the GitHub issue with findings, screenshots, and relevant code.
Risk: While intended for debugging, there is a risk that sensitive production data, environment variables, or PII contained in logs or captured in browser screenshots could be inadvertently leaked to the public/shared issue tracker.

reproduce-bug