The Agent Skills Directory

[Indirect Prompt Injection] (LOW): The skill fetches PR and Issue descriptions from external sources (GitHub, GitLab, Bitbucket, etc.) and interpolates them into markdown templates used to guide the agent's tasks. This creates a surface for indirect prompt injection where an attacker could influence the agent via malicious content in a repository.
Ingestion points: provider_github_fetch_pr, provider_gitlab_fetch_pr, provider_bitbucket_fetch_pr, and related functions in lib/providers/*.sh.
Boundary markers: Templates in templates/*.md use markdown headers (e.g., ## Description) to separate fetched content, but they lack explicit instructions to the agent to ignore any commands found within the external text.
Capability inventory: The skill can manage git worktrees, execute provider CLI commands (gh, glab, az), create/kill tmux sessions, and launch the claude command.
Sanitization: While the skill sanitizes filenames and paths, it does not sanitize or escape the text content of the fetched PR/Issue bodies before they are presented to the agent.
[External Downloads] (LOW): The skill makes network requests to retrieve data from code hosting providers using curl and specialized CLIs. These requests are directed at well-known, trusted domains (github.com, gitlab.com, bitbucket.org) or user-configured endpoints (for Gitea), which is consistent with its primary purpose.
[Command Execution] (SAFE): The skill frequently executes shell commands (git, tmux, jq). It employs safe patterns such as strict regex validation for function dispatching in lib/interface.sh (provider_call) and robust path validation in lib/worktree.sh (validate_worktree_path) to prevent path traversal and arbitrary command injection.

project-session-manager