The Agent Skills Directory

PROMPT_INJECTION (LOW): The skill exposes a surface for indirect prompt injection because it facilitates the ingestion of untrusted data from version control repositories into the agent's context. This is an inherent risk for VCS-related skills.
Ingestion points: Untrusted content enters via jj diff, jj show, and jj log operations, which read repository history and file contents (documented in references/jj-diff.md, references/jj-show.md, and references/jj-log.md).
Boundary markers: The documentation does not provide specific instructions for agents to use delimiters or ignore instructions found in repo data, though it does suggest structured JSON output which aids safe parsing.
Capability inventory: The Jujutsu tool allows arbitrary command execution via its util exec subcommand, file reading via file show, and network operations via git push/fetch (documented in references/jj-util-exec.md, references/jj-file-show.md, and references/jj-git-push.md).
Sanitization: No sanitization logic is provided in the skill.
COMMAND_EXECUTION (SAFE): The skill documents standard CLI features of Jujutsu, including subcommands that interface with the host system (util exec, fix). These are documented features of the VCS itself and the skill includes appropriate warnings about their misuse.
NO_CODE (SAFE): The skill is composed entirely of Markdown reference files and contains no automated installation scripts, executable binaries, or configuration files that would be executed upon loading.
SAFE (SAFE): The instructions in SKILL.md provide helpful best practices for AI agents, such as using non-interactive flags to prevent process hangs and utilizing JSON templates for structured data parsing.

jj