The Agent Skills Directory

[PROMPT_INJECTION]: The skill describes workflows that are vulnerable to indirect prompt injection by processing untrusted data.
Ingestion points: Untrusted data enters the agent context through pull request diffs in ai-review.yml, issue titles and bodies in issue-triage.yml, and user comments in mention-bot.yml.
Boundary markers: The workflow prompts lack delimiters or explicit instructions to the AI to ignore instructions embedded within the processed data.
Capability inventory: The workflows have the capability to create PR reviews, add labels to issues, post comments, and perform git operations like rebasing and force-pushing.
Sanitization: No sanitization or filtering of external content is performed before it is interpolated into the AI prompts.
[COMMAND_EXECUTION]: The skill provides examples of automated administrative actions that could be exploited.
The auto-rebase.yml workflow example includes a git push --force-with-lease command triggered by a comment string. If the trigger condition is met through unauthorized or malicious comments, it could allow for branch history manipulation.
The Smart Cherry-Pick example illustrates a pattern where AI-generated resolutions for code conflicts are applied to the codebase, creating a risk of code injection if the AI's output is manipulated.

github-workflow-automation