The Agent Skills Directory

Indirect Prompt Injection (HIGH): The skill creates a significant attack surface by fetching and processing untrusted data from external sources.
Ingestion points: scripts/wait-for-run.sh ingests workflow logs via gh run view --log-failed. scripts/find-repos-with-path.sh and scripts/batch-search.sh ingest repository metadata and code snippets via gh search.
Boundary markers: No boundary markers or 'ignore' instructions are present when these external data sources are piped to the agent's context.
Capability inventory: The skill allows the agent to execute gh workflow run, gh pr create, and gh api, providing a path for an attacker to influence repository state if they can inject instructions into logs or file paths.
Sanitization: No sanitization or validation is performed on the data fetched from GitHub before it is presented to the agent.
External Downloads (MEDIUM): The README instructs users to pip install skilz, a third-party 'universal installer'.
Evidence: This tool is not from a verified trusted organization or repository list provided in the security protocols. Installing unverified package managers increases the risk of supply chain attacks.
Command Execution (LOW): The skill frequently executes shell commands via Bash.
Evidence: While the commands (primarily gh and jq) are standard for the skill's purpose, the use of eval or unsanitized variable interpolation in the provided scripts (e.g., gh "${SEARCH_ARGS[@]}" in find-repos-with-path.sh) requires the agent to be cautious when generating inputs for these scripts.

mastering-github-cli