The Agent Skills Directory

[Indirect Prompt Injection] (HIGH): The skill ingests untrusted data from GitHub issues (gh issue list, gh sub-issue list) without sanitization or clear boundary markers. This data influences agent decisions (e.g., 'Pick the right story'), creating an injection surface where an attacker can control the agent's logic through issue content.\n- [Remote Code Execution] (HIGH): In references/prompt.md, the agent is specifically instructed to 'Run the quality gates specified in the PRD issue (look for ## Quality Gates section)'. This allows an external, untrusted source (the GitHub issue body) to define and execute arbitrary shell commands on the host, which is a critical RCE vulnerability.\n- [Command Execution] (MEDIUM): The skill relies on and executes a local script ~/.claude/skills/loop-github-issues/loop-github-issues.sh. The absence of this script's source code in the provided files prevents verification of its safety.\n- [Data Exposure & Write Access] (MEDIUM): The agent possesses extensive write capabilities, including modifying the filesystem (e.g., AGENTS.md), committing to git, and closing GitHub issues. These capabilities significantly elevate the impact of a successful prompt injection or RCE attack.

ralph-github-start-loop