The Agent Skills Directory

[PROMPT_INJECTION]: The skill processes untrusted repository identifiers (names and URLs) that may contain malicious instructions or unexpected characters intended to influence the agent's behavior.
Ingestion points: Untrusted data enters the skill via the repo_full_name variable in the Python script and the repo_url variable in the Bash script within SKILL.md.
Boundary markers: There are no boundary markers or explicit instructions to ignore embedded commands within the processed repository data.
Capability inventory: The skill performs network requests via requests.get and executes subprocesses using curl and the gh CLI tool (SKILL.md).
Sanitization: No escaping or validation is performed on the input strings before they are interpolated into shell commands or API URL templates.
[COMMAND_EXECUTION]: The provided shell and Python scripts execute system commands and network operations using variables derived from external inputs. The lack of sanitization for characters like backticks or semicolons in the repository identifiers could lead to command manipulation if the scripts are executed with malicious input strings.

identify-malicious-repository