The Agent Skills Directory

[Indirect Prompt Injection] (HIGH): The skill creates a high-privilege vulnerability surface where untrusted external data can influence agent logic.
Ingestion points: Scripts list_repos.ts, get_repo_info.ts, and list_prs.ts retrieve and display content from GitHub API endpoints (repository names, descriptions, and PR titles) which are under the control of potentially untrusted third parties.
Boundary markers: Absent. The scripts output raw API data directly to the console without using delimiters (like XML tags or Markdown blocks) or providing the agent with instructions to disregard embedded commands.
Capability inventory: The skill provides the create_pr.ts script, which allows the agent to perform write operations (POST requests) to GitHub repositories.
Sanitization: No sanitization or validation of the retrieved API data is performed before it is presented to the agent's context.
[Command Execution] (LOW): The skill relies on npx tsx to execute its logic. While a standard pattern for TypeScript execution, it requires a shell environment and relies on the npx package runner, which introduces a dependency on the integrity of the local environment and the npm registry.
[Credential Safety] (INFO): The skill uses a github_token configured via an external workspace manager. While it avoids hardcoded secrets, users should ensure the token has the minimum necessary scopes to mitigate the impact of potential session hijacking or injection.

github