The Agent Skills Directory

[COMMAND_EXECUTION]: The Makefile and Justfile templates in references/build-integration.md are vulnerable to shell command injection via the version override variable. The templates interpolate the user-provided version string directly into a shell command: uv run scripts/version.py stamp --version "$(V)". If the variable V contains shell metacharacters such as backticks or semicolons, the shell will execute those commands on the host machine.
[COMMAND_EXECUTION]: The GitHub Actions workflow snippet in references/build-integration.md contains a critical command injection vulnerability in the run step. By using ${{ inputs.version }} directly within a bash script, the template allows any user with permission to trigger the workflow to execute arbitrary code in the CI/CD runner context. This is a violation of security best practices for GitHub Actions.
[COMMAND_EXECUTION]: The Python script scripts/version.py executes the git command using subprocess.run to compute commit counts. While the implementation uses the safer array-based execution method and hardcoded commands, it establishes a dependency on the system shell and local git installation.

ai-changelog