The Agent Skills Directory

[PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it ingests and processes untrusted data from local git repositories to generate documentation and cross-entry analysis. An attacker with the ability to influence a repository's history could inject malicious instructions to manipulate the agent's output.
Ingestion points: The agent reads commit messages, git diffs, file change statistics, and README.md content during Phase 1 (Auto-Drafting).
Boundary markers: There are no clear delimiters or instructions designed to isolate the ingested git data from the agent's internal reasoning or to prevent the execution of embedded instructions.
Capability inventory: The skill has the capability to write to the local file system (extending been-there-done-that.md) and execute various bash/git commands.
Sanitization: No sanitization or filtering is applied to commit messages or file content before they are interpolated into the agent's drafting and analysis logic.
[COMMAND_EXECUTION]: The skill performs its analysis by executing a series of local shell commands (git, awk, sed, head, basename) using parameters derived from user input.
Evidence: The workflow involves running git -C <repo_path> commands and processing file content using head -100 and awk scripts to calculate session boundaries and infer project names.

been-there-done-that