The Agent Skills Directory

[PROMPT_INJECTION]: Indirect Prompt Injection surface detected.
Ingestion points: The skill reads issueBody and branchName from ~/.config/marshroom/state.json as well as the current branch name from the git environment.
Boundary markers: No delimiters or "ignore embedded instructions" warnings are applied when interpolating the issue content into the Pull Request body.
Capability inventory: The skill possesses capabilities for git push, gh pr create/edit, and writing to local configuration files via jq.
Sanitization: There is no evidence of sanitization or escaping for the issueBody or branch names before they are used in command arguments or PR descriptions.
[COMMAND_EXECUTION]: Executes multiple shell commands including git, gh, jq, and the vendor-specific tool marsh.
Step 7 uses shell command substitution ($(gh pr view ...)) which can lead to unintended command execution if the PR body contains shell-active characters.
Step 9 involves an atomic file write using jq and mv, modifying the ~/.config/marshroom/state.json file.
[DATA_EXFILTRATION]: The skill performs legitimate but notable data transfer operations.
It executes git push -u origin HEAD, which uploads local source code to a remote server.
It extracts local metadata (issue titles and bodies) from the marshroom configuration and publishes them to GitHub as public Pull Request content.

create-pr