The Agent Skills Directory

[CREDENTIALS_UNSAFE]: The skill instructions in SKILL.md and references/graphql-queries.md direct the agent to read sensitive GitHub tokens from ~/.claude/.secrets/gh-token-terrylica. It specifically suggests using cat ... | head -c 10 to check the token type, which risks leaking parts of the credential into the agent's context or logs.
[COMMAND_EXECUTION]: In references/auto-link-config.md, the provided TypeScript implementation for an onPostToolUse hook contains a command injection vulnerability. The code parses tool output using regular expressions and interpolates the resulting strings directly into execSync calls without any validation or sanitization.
[PROMPT_INJECTION]: The skill features a 'Self-Evolving Skill' directive in SKILL.md that instructs the agent to 'fix this file immediately' if issues are found. This pattern allows for persistence of behavior changes and could be abused by an attacker to override safety guidelines or inject malicious instructions into the skill's permanent configuration.
[INDIRECT_PROMPT_INJECTION]: The skill processes untrusted data from external sources as a primary function, creating an attack surface for indirect prompt injection.
Ingestion points: GitHub Issue titles, bodies, and comments retrieved via gh issue list and gh issue view commands.
Boundary markers: None. The skill does not use delimiters or instructions to prevent the agent from following directions embedded in the issues it processes.
Capability inventory: The skill has access to the Bash and Write tools, and it uses gh api to perform GraphQL mutations on repositories.
Sanitization: There is no mention of sanitizing or escaping the data retrieved from GitHub before it is used in subsequent command-line operations or PR creation.

issues-workflow