The Agent Skills Directory

Indirect Prompt Injection (HIGH): The skill is designed to ingest and process untrusted data from git repositories, including filenames, commit logs, and file contents. It lacks any boundary markers or sanitization logic, which creates a high-risk surface for Indirect Prompt Injection. An attacker could craft a repository that, when scanned or cleaned, exploits the agent's capabilities to execute unintended commands or manipulate the security process. Ingestion points: git log, find ., and git grep in references/full-guide.md. Boundary markers: Absent. Capability inventory: git push --force in SKILL.md, pip install in references/full-guide.md, and chmod +x in references/full-guide.md. Sanitization: Absent.
External Downloads & RCE (MEDIUM): The skill instructs the agent to install external software at runtime, specifically git-filter-repo and bfg, using package managers like pip and brew (found in references/full-guide.md). These are unverifiable dependencies that run with the agent's privileges.
Command Execution (HIGH): The skill utilizes high-impact commands, most notably git push origin --force --all, which can destructively rewrite remote history. It also performs broad searches for sensitive files (e.g., .env, credentials.json) which, while part of its purpose, grants the agent wide-reaching access to potential secrets in any directory where it is executed.

git-safety