The Agent Skills Directory

[COMMAND_EXECUTION]: The '@mention Bot' workflow (section 5.1 in SKILL.md) is vulnerable to shell command injection. The step 'Extract question' directly expands the untrusted ${{ github.event.comment.body }} expression within a bash script. An attacker can craft a comment containing shell metacharacters (e.g., $(...) or backticks) to execute arbitrary commands on the GitHub Actions runner.
[PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface because it processes untrusted data from GitHub and has significant write permissions.
Ingestion points: Untrusted data enters the agent context through PR diffs (steps.diff.outputs.diff), issue titles and bodies, and user-provided comments.
Boundary markers: The prompts use basic labels like 'Context:' and 'Question:' but lack robust delimiters or explicit instructions to ignore embedded commands, making it easier for the model to follow malicious instructions hidden in the data.
Capability inventory: The skill can post comments, apply labels, create PR reviews, trigger deployments, and perform git operations like rebasing and pushing.
Sanitization: While some workflows use environment variables to mitigate direct script injection, the textual content is still passed to the AI without sanitization, leaving the logic vulnerable to being subverted by indirect instructions.
[EXTERNAL_DOWNLOADS]: The skill references and downloads dependencies from trusted sources.
Fetches the @anthropic-ai/sdk for AI communication.
Uses official and well-known GitHub Actions including actions/checkout, actions/github-script, actions/stale, and slackapi/slack-github-action.

github-workflow-automation