The Agent Skills Directory

[EXTERNAL_DOWNLOADS]: The skill instructions in both SKILL.md and README.md direct the installation of a Python package named graphifyy (pip install graphifyy). However, the README links to the official graphify project on GitHub (https://github.com/safishamsi/graphify). This inconsistency (extra 'y') is a strong indicator of a typosquatting attack designed to execute malicious code during package installation.
[REMOTE_CODE_EXECUTION]: By instructing the installation of an unverified and likely malicious package (graphifyy), the skill facilitates arbitrary code execution on the user's system under the guise of setting up a dependency.
[DATA_EXFILTRATION]: The skill's workflow involves reading docstrings and comments from the codebase and using them to generate documentation and Pull Request descriptions. Since this content is attacker-controlled in an untrusted codebase, it creates a surface for indirect prompt injection. A malicious instruction embedded in a docstring could trick the agent into exfiltrating the GITHUB_TOKEN or other sensitive environment variables within the PR body.
[COMMAND_EXECUTION]: The skill performs sensitive shell operations, including Git commits and GitHub PR creation (gh pr create). These operations are granted access to a GITHUB_TOKEN, which could be compromised via the injection surface mentioned above.
[PROMPT_INJECTION]: The skill lacks security controls for Category 8 (Indirect Prompt Injection). Ingestion points: Codebase docstrings and comments are ingested via graphify ., extract_py.py, and extract_ts.ts. Boundary markers: Absent; there are no instructions to the agent to treat docstrings as untrusted data or delimiters used in templates. Capability inventory: The skill possesses file-write, network access (cloning repos), and authenticated GitHub API capabilities. Sanitization: Absent; the skill directly interpolates extracted docstrings into documentation templates.

docs-from-code