The Agent Skills Directory

[PROMPT_INJECTION]: The skill contains self-modification instructions that direct the agent to rewrite its own source code.
Evidence: The 'Self-Evolving Skill' section in SKILL.md states: 'If instructions are wrong... fix this file immediately, don't defer.' and the 'Post-Execution Reflection' section reinforces this: 'Find this SKILL.md's canonical path before editing... Log it. Do NOT defer. The next invocation inherits whatever you leave behind.'
Risk: This instruction creates a persistence mechanism where the agent's behavior can be permanently altered based on runtime execution results.
[PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection as it processes untrusted data from external sources.
Ingestion points: The skill uses gh api in SKILL.md (Steps 5 and 7) to fetch commit messages and pull request titles/bodies from third-party GitHub forks.
Boundary markers: Absent. The data is processed directly via shell pipes to jq and then into the agent's context.
Capability inventory: The skill uses Bash, Grep, and Glob tools, and has instructions to write to the file system (Self-Evolving mechanism).
Sanitization: Absent. There is no evidence of escaping or filtering of the fetched GitHub metadata.
[DATA_EXFILTRATION]: The skill systematically collects Personally Identifiable Information (PII) from commit history.
Evidence: SKILL.md Step 5 uses gh api with the query .commits[] | {..., author: .commit.author.email} to extract contributor email addresses for 'Institutional contributor' analysis.
[COMMAND_EXECUTION]: The skill contains numerous complex shell command snippets for execution.
Evidence: Steps 1 through 7 in SKILL.md provide bash commands using gh api and jq for repository interrogation and data processing.

fork-intelligence