The Agent Skills Directory

PROMPT_INJECTION (LOW): The trigger_research_cycle function in reference/failure-recovery.md constructs a prompt for a secondary AI worker by interpolating the output of get_attempt_history. This history likely contains untrusted content from GitHub issue comments, creating an indirect prompt injection surface.
Ingestion points: The get_attempt_history function in reference/failure-recovery.md (line 34) pulls untrusted data into the agent context.
Boundary markers: Absent; the history is directly embedded into the prompt string without delimiters or instructions to ignore nested commands.
Capability inventory: Research agents are granted the following tools: Read, Grep, Glob, WebFetch, WebSearch, and mcp__github__add_issue_comment (line 52, failure-recovery.md).
Sanitization: No sanitization or escaping of external content is present before interpolation into the prompt.
DATA_EXFILTRATION (LOW): While no explicit exfiltration is programmed, the research agents are equipped with tools for local file access (Read) and outbound network requests (WebFetch). In the event of a successful indirect prompt injection, an attacker could potentially instruct the agent to exfiltrate sensitive environment data or local source code to an external URL. Since the intended environment targets trusted domains (GitHub), the severity is maintained at LOW.
COMMAND_EXECUTION (LOW): The orchestration logic makes extensive use of the gh and claude CLIs via shell scripts. Commands are built using variables like $issue and $branch. While basic safety measures like slugify_issue_title are mentioned, the reliance on shell-based construction for complex CLI arguments necessitates careful verification of input sanitization in the referenced helper functions to prevent command injection.

autonomous-orchestration