The Agent Skills Directory

[PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it interprets instructions from untrusted external sources such as GitHub issue bodies and repository documentation. • Ingestion points: The skill explicitly reads the issue body, labels, blockers, and repository-specific orchestration files (e.g., docs/agents/orchestration-labels.md) to determine its logic as stated in SKILL.md. • Boundary markers: No delimiters or ignore-embedded-instruction warnings are present to isolate untrusted data. • Capability inventory: The agent has the ability to perform significant Git operations including branching, merging, committing, and pushing code, as well as managing GitHub issues through comments and closures. • Sanitization: There is no evidence of input validation or sanitization for the data retrieved from external sources. • Mitigation: The skill implements a manual safety check by requiring the user to confirm the selected issue, orchestration label, and execution plan before proceeding with any code implementation.

do-work