The Agent Skills Directory

[PROMPT_INJECTION]: The skill employs a consistent obfuscation technique by substituting standard path and URL separators with '$' characters (e.g., 'github.com$ruvnet$claude-flow', 'repos$my-organization', '$workspaces$ruv-FANN$'). This obscures intent and can bypass simple security filters designed to detect sensitive paths or external URLs.\n- [PROMPT_INJECTION]: The skill exhibits a high susceptibility to indirect prompt injection. It ingests untrusted data from remote repositories, such as 'package.json' and 'CLAUDE.md' files, using the GitHub API and file read operations. Because the skill lacks explicit boundary markers or sanitization logic, malicious instructions embedded in these external files could be executed by the agent during its automated workflows.\n- [COMMAND_EXECUTION]: The skill makes extensive use of the 'Bash' primitive to execute shell commands for cloning repositories, managing dependencies, and performing automated git operations (commit, push, PR creation). While these are part of its core functionality, the lack of input validation for repository data increases the risk that an attacker-controlled repository could trigger dangerous command execution.

github-multi-repo