The Agent Skills Directory

Indirect Prompt Injection (HIGH): The skill possesses a high-risk capability/ingestion profile.
Ingestion Points: Reads PR descriptions (gh pr view), issue bodies (gh issue list), file contents (gh api .../contents/), and PR diffs (gh pr diff). These sources are often attacker-controlled.
Capability Inventory: Includes merging PRs (gh pr merge), deleting branches (gh api ... --method DELETE), triggering CI/CD pipelines (gh workflow run), and modifying repository settings.
Sanitization/Boundaries: There are no explicit boundary markers or sanitization logic to prevent the agent from obeying malicious instructions embedded within the GitHub content it processes.
Impact: An attacker could submit a PR with a description that tricks the agent into merging the PR immediately or leaking secret scanning alerts.
Data Exposure (MEDIUM): The security-guardian mode explicitly lists secret scanning, code scanning, and Dependabot alerts. While legitimate, an agent processing these in a session also handling untrusted inputs creates a significant exfiltration risk.
Command Execution (LOW): The skill utilizes local shell orchestration (loops and parallel execution using & and wait). While these are standard bash patterns, they increase the surface area if the agent is tricked into injecting values into these loops.

github-modes