The Agent Skills Directory

[REMOTE_CODE_EXECUTION]: The stax shell-setup --install command modifies persistent shell configuration files (such as ~/.zshrc or ~/.bashrc). This behavior establishes a mechanism for persistence and code execution whenever a new shell session is started.
[COMMAND_EXECUTION]: The stax run command enables the execution of arbitrary shell commands across all branches within a stack. This capability can be used to execute malicious payloads or perform unauthorized operations across a repository's history.
[CREDENTIALS_UNSAFE]: The skill handles sensitive GitHub authentication via stax auth --token. Documentation encourages passing personal access tokens directly as command arguments, which may lead to exposure in command history, process logs, or agent transcripts.
[EXTERNAL_DOWNLOADS]: The skill depends on the installation of the stax CLI from an external, non-trusted source (github.com/cesarferreira/stax). There is no mechanism provided for verifying the integrity or origin of this binary dependency.
[PROMPT_INJECTION]: The skill possesses a significant attack surface for indirect prompt injection by ingesting and processing untrusted data from external sources.
Ingestion points: The skill reads PR comments via stax comments and processes Git conflict data via stax resolve.
Boundary markers: There are no documented delimiters or instructions to ignore embedded malicious prompts within the processed data.
Capability inventory: The tool has extensive capabilities including arbitrary command execution (stax run), file system modification (stax modify, stax branch squash), and network access (stax submit, stax sync).
Sanitization: The skill does not implement sanitization or validation for data retrieved from external PR comments or git conflicts before using it to influence AI-driven actions.

stax