The Agent Skills Directory

[COMMAND_EXECUTION]: The skill utilizes shell command templates that interpolate external variables such as FORK_OWNER and FEATURE_BRANCH into bash strings. These variables are derived from GitHub API responses which are attacker-controlled. A malicious actor could craft a branch name or username containing shell metacharacters (e.g., semicolons, backticks, or subshell syntax) to execute arbitrary commands when the agent runs the provided scripts.
[REMOTE_CODE_EXECUTION]: The command injection vulnerability in the shell templates allows for potential arbitrary code execution on the system where the agent is running, triggered by malicious metadata from a processed GitHub repository.
[PROMPT_INJECTION]: The skill processes untrusted data from GitHub (including commit messages, PR titles, and issue counts), creating a surface for indirect prompt injection. Ingestion points: Commit messages and pull request metadata fetched via the GitHub API in SKILL.md (Steps 5 and 7) and references/signal-priority.md (Rank 2). Boundary markers: The instructions do not define delimiters or specific warnings to ignore instructions embedded within the analyzed metadata. Capability inventory: The agent is granted access to the Bash, Read, Grep, and Glob tools, which could be leveraged if an injection is successful. Sanitization: No sanitization or validation of the retrieved GitHub metadata is performed before the data is processed or displayed.

fork-intelligence