The Agent Skills Directory

[COMMAND_EXECUTION]: The skill uses the Bash tool to execute scripts that interpolate variables derived directly from untrusted GitHub issue content (titles, bodies, and subtask descriptions) into command lines. This creates a high risk of command injection if a GitHub issue title or body contains shell metacharacters such as backticks or dollar-parens. Evidence: In SKILL.md, the script constructs commands like gh issue create --title "$TITLE" --body "$BODY" where variables are assigned from raw issue data without sanitization.
[EXTERNAL_DOWNLOADS]: The skill fetches and executes the ruv-swarm package from the NPM registry at runtime using npx. Evidence: Multiple features, including 'Issue-to-Swarm Conversion' and 'Task Decomposition', depend on executing npx ruv-swarm to perform core orchestration logic.
[PROMPT_INJECTION]: The skill implements logic to parse and execute commands embedded in GitHub issue comments (e.g., $swarm analyze), which serves as a direct surface for indirect prompt injection where an attacker can influence agent actions by commenting on issues. 1. Ingestion points: The skill reads GitHub issue bodies and comments via gh issue view and gh issue list. 2. Boundary markers: No delimiters or safety instructions are used to separate issue content from system instructions. 3. Capability inventory: The skill has access to Bash, Write, GitHub management tools, and agent spawning capabilities via mcp__claude-flow__agent_spawn. 4. Sanitization: No sanitization, escaping, or validation of GitHub content is performed before processing or command interpolation.

agent-swarm-issue