The Agent Skills Directory

[COMMAND_EXECUTION]: In references/WORKFLOW.md (Phase 0), the workflow contains a command injection vulnerability. The bash script parses user-supplied issue references using a regular expression ^([^#]+)#([0-9]+)$ that allows shell metacharacters in the REPO variable. This variable is subsequently used in unquoted shell commands such as gh issue view ${ISSUE_NUM} --repo ${REPO}, enabling arbitrary bash command execution.
[PROMPT_INJECTION]: The skill implements a workflow that ingests untrusted data from GitHub issues, creating an indirect prompt injection surface.
Ingestion points: Phase 1 gh issue view command in references/WORKFLOW.md.
Boundary markers: Absent; external issue text is interpolated directly between Markdown headers in prompts for LLM consultants.
Capability inventory: The skill has extensive filesystem and shell access via the Write, Edit, and Bash tools.
Sanitization: Absent; issue titles and descriptions are processed without sanitization before being used to guide planning and review loops.
[EXTERNAL_DOWNLOADS]: The skill fetches data from GitHub repositories and issues. While GitHub is a trusted service, the downloaded content is user-generated and serves as the primary instructions for the agent's workflow phases, posing a significant risk in the absence of boundary markers or input validation.

develop