The Agent Skills Directory

[COMMAND_EXECUTION]: The skill frequently executes shell commands (git, gh, jq, mkdir) using arguments derived from external sources like GitHub issue titles and Jira IDs. While it includes a 'slug' generation step to sanitize some inputs (alphanumeric and hyphens only), other fields like titles and instructions are used in processing.
[REMOTE_CODE_EXECUTION]: In Phase 1, Step 5, the skill executes source "$HOME/.claude/scripts/wf-init.sh" && wf_init_project. This involves sourcing and executing a script located in the user's home directory that is not part of the skill's own package, representing a dynamic execution of external code.
[PROMPT_INJECTION]: The skill is highly susceptible to indirect prompt injection (Category 8). It fetches and analyzes 'feedback sources' including GitHub PR reviews, comments, and Issue bodies (gh pr view, gh issue view). This untrusted data is then used to 'Analyze feedback' and 'Generate revision plan' without explicit sanitization or boundary markers mentioned in the instructions, which could allow an attacker to influence the agent's behavior via malicious comments.
Ingestion points: GitHub Issue bodies/comments and Pull Request reviews/comments (SKILL.md, Revise Processing section).
Boundary markers: None specified for the feedback analysis phase.
Capability inventory: Subprocess execution (git, gh, jq), file system writes (state.json, docs/wf/), and local script sourcing.
Sanitization: Slug generation uses regex-like constraints (alphanumeric+hyphens), but the content of 'revise' instructions and PR feedback is processed for logic changes without visible sanitization.
[DATA_EXFILTRATION]: The skill uses gh auth status and interacts with local configuration files like .wf/config.json. While it primarily targets GitHub (a whitelisted/well-known service), it handles session-related information and project metadata.

wf1-kickoff