The Agent Skills Directory

[COMMAND_EXECUTION]: The skill constructs and executes various bash commands using the git binary. It dynamically interpolates user-provided values such as branch names, tags, dates, and file paths into these commands without explicit instructions for input validation or shell escaping, creating a surface for command injection.
[DATA_EXFILTRATION]: The skill accesses sensitive information within the git repository. This includes reading full source code diffs, commit history, and personally identifiable information (PII) such as developer names and emails extracted via the git blame command.
[PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection through the ingestion of untrusted repository data.
Ingestion points: Untrusted data enters the context through git log (commit messages) and git diff (code content) as seen in SKILL.md steps 3A through 3E.
Boundary markers: Absent. The skill instructions do not specify the use of delimiters or 'ignore' instructions to prevent the agent from obeying commands embedded in commit messages or file content.
Capability inventory: The skill uses bash subprocess calls to interact with the repository and perform logical analysis.
Sanitization: Absent. There is no requirement for the agent to sanitize or filter out potential injection patterns within the ingested git metadata before generating reports.

git-intelligence