The Agent Skills Directory

[INDIRECT_PROMPT_INJECTION]: The skill is designed to ingest and process data from untrusted external GitHub repositories. This creates a surface for indirect prompt injection if the fetched files contain malicious instructions intended to manipulate the agent's behavior during analysis.
Ingestion points: SKILL.md (Quick Operations, Step 3: Fetch key files) and references/remote-analysis.md describe workflows for fetching file content using gh api.
Boundary markers: Examples use shell redirection (e.g., > repo1-index.ts) to isolate content into files, but the subsequent manual analysis or grep operations requested in SKILL.md (Step 4: Analyze differences) expose the agent to the file contents.
Capability inventory: The skill utilizes shell command execution including gh, jq, base64, diff, and grep across all workflows.
Sanitization: No explicit sanitization, validation, or "ignore embedded instructions" delimiters are implemented for the fetched remote content.
[COMMAND_EXECUTION]: The skill guides the agent to perform a wide variety of shell-based operations using the GitHub CLI and local utilities like jq, base64, and diff. This is a core functional requirement of the skill but relies on the agent having significant local shell capabilities.
[EXTERNAL_DOWNLOADS]: The skill fetches repository metadata and file contents from the GitHub API (api.github.com). As GitHub is a well-known and trusted service, these network operations are documented neutrally and do not contribute to verdict escalation.

gh-cli