The Agent Skills Directory

[COMMAND_EXECUTION] (MEDIUM): The script scripts/commit-and-push.sh is vulnerable to shell command injection. The variable $BRANCH is used without double quotes in several commands, including git rev-parse origin/$BRANCH, git pull origin $BRANCH, and git push origin $BRANCH. An attacker could provide a malicious branch name containing shell metacharacters to execute arbitrary code.
[DATA_EXFILTRATION] (LOW): The SKILL.md documentation instructs the agent to interact with the ~/.ssh directory by running ls ~/.ssh/id_*.pub and cat ~/.ssh/id_ed25519.pub. This guidance targets a sensitive credential location, increasing the risk of accidental exposure of private keys.
[Indirect Prompt Injection] (LOW): The skill presents an attack surface for indirect prompt injection via its script parameters. 1. Ingestion points: COMMIT_MSG, BRANCH, and REMOTE_URL arguments in scripts/commit-and-push.sh. 2. Boundary markers: Absent. 3. Capability inventory: The skill can execute shell commands and perform network operations via Git. 4. Sanitization: Absent for the $BRANCH variable as noted in the injection finding.

github-commit-push