The Agent Skills Directory

[PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it processes untrusted data retrieved from GitHub Issues. Malicious instructions embedded in a feature description or acceptance criteria could influence the agent's behavior during sprint planning or refinement tasks.
Ingestion points: Untrusted data enters the context via mcp_github_github_issue_write and gh issue create as shown in SKILL.md.
Boundary markers: The issue templates provided lack explicit delimiters or instructions to ignore embedded prompts within the user-provided fields.
Capability inventory: The skill utilizes subprocess execution of the gh CLI and various GitHub MCP tools to modify repository state.
Sanitization: No input validation, escaping, or sanitization is performed on user-provided strings before they are interpolated into the issue body markdown.
[COMMAND_EXECUTION]: The skill relies on the gh CLI as a fallback for operations such as pinning issues, creating milestones via the GitHub API, and managing labels. This involves executing shell commands that rely on the user's local authentication state.
[EXTERNAL_DOWNLOADS]: The project initialization process configures several GitHub Action workflows that utilize external dependencies, including actions/labeler@v5, actions/stale@v9, release-drafter/release-drafter@v6, and toshimaru/auto-author-assign@v2.1.1. These are established automation tools within the GitHub ecosystem.

github-scrum