The Agent Skills Directory

[Indirect Prompt Injection] (HIGH): The skill ingests untrusted data from external GitHub project items and field definitions. An attacker with access to the target GitHub repository or project could embed malicious instructions in item titles, field names, or labels.
Ingestion points: SKILL.md (lines 53, 56) uses gh project field-list and gh project item-list to populate GH_CACHE_FIELDS and GH_CACHE_ITEMS.
Boundary markers: Absent. The data is exported directly to environment variables used by other high-privilege skills.
Capability inventory: The skill possesses write capabilities via gh project item-edit and item-add, and it feeds data to autonomous-orchestration and issue-driven-development skills.
Sanitization: Uses jq for parsing, but does not sanitize the resulting strings before they are used in downstream decision-making or command construction.
[Command Execution] (MEDIUM): Several functions construct shell commands by interpolating variables extracted from the API cache.
Evidence: In get_cached_item_id (line 104) and set_status_cached (line 144), variables like $issue_num and $item_id are used within shell strings. If the cached JSON contains malicious payloads designed to break out of jq selectors or shell quotes, it could lead to arbitrary command execution in the local environment.

github-api-cache