The Agent Skills Directory

Indirect Prompt Injection (LOW): The skill processes untrusted data from GitHub Pull Request titles and descriptions. This data could contain malicious instructions designed to hijack the agent's logic during labeling or summarization. Evidence: 1. Ingestion: GitHub PR data via gh CLI and MCP server. 2. Boundary markers: No delimiters or ignore instructions specified in prompt templates. 3. Capability inventory: Execution of local PowerShell scripts and GitHub API modification. 4. Sanitization: No sanitization of PR content is performed.
Command Execution (MEDIUM): The workflow relies on executing multiple PowerShell scripts (e.g., dump-prs-since-commit.ps1, group-prs-by-label.ps1). While these are part of the skill package, they perform file system operations and system calls.
External Downloads (LOW): The skill requires the installation of the github-mcp-server. Per [TRUST-SCOPE-RULE], dependencies from trusted organizations like GitHub/Microsoft are considered low risk.

release-note-generation