The Agent Skills Directory

[PROMPT_INJECTION]: Indirect prompt injection surface identified through the processing of untrusted data from GitHub. The skill fetches content from external issues (gh issue view) and commit messages (git log), which could contain instructions intended to manipulate the agent's reasoning or output format. * Ingestion points: Issue body content from gh issue view and commit descriptions from git log and git show (found in SKILL.md). * Boundary markers: Absent. The instructions do not define delimiters or provide warnings to ignore instructions embedded within the fetched data. * Capability inventory: The skill has access to Bash, Write, and Read tools, which could be abused if the agent is successfully manipulated by injected text. * Sanitization: No validation or sanitization of the external content is specified.
[COMMAND_EXECUTION]: Potential for command injection and path traversal via the $ARGUMENTS parameter. The skill uses user-provided identifiers to execute shell commands (gh issue view) and to write files (tmp/issues/<issue番号>/pr.md). * Evidence: The issue identifier or URL passed in $ARGUMENTS is directly incorporated into shell commands and file system paths. If an attacker provides a malformed identifier containing shell metacharacters or directory traversal sequences (e.g., ../), it could lead to unauthorized command execution or writing to arbitrary file locations.

create-pr-text