The Agent Skills Directory

[PROMPT_INJECTION]: The instructions explicitly direct the agent to override standard interactive behavior and safety oversight, stating 'This is a non-interactive, fully automated workflow. Do NOT ask for confirmation at any step' and 'Never stop for... Commit message approval... Auto-fixable review findings'.
[COMMAND_EXECUTION]: The skill dynamically detects and executes test commands and build scripts from the local codebase (e.g., from package.json, Makefiles, or Gemfiles), which may run arbitrary code defined in the repository.
[DATA_EXFILTRATION]: The skill automatically pushes local source code and commit history to remote servers using git push and creates Pull Requests via the gh CLI. While this is the intended function, the 'non-interactive' instructions remove the user-in-the-loop verification step for the content being exfiltrated to the remote repository.
[PROMPT_INJECTION]: The skill exhibits an Indirect Prompt Injection surface (Category 8) by ingesting untrusted data from the repository:
Ingestion points: Reads checklist.md, TODOS.md, and plan files (from docs/plans/, docs/designs/, etc.) in SKILL.md.
Boundary markers: Minimal boundary markers are present; it only checks the first 20 lines of plan files for relevance before processing.
Capability inventory: The skill uses Bash to execute commands, Write to modify the filesystem, and Agent to dispatch subagents that process the ingested content.
Sanitization: No sanitization or escaping of external file content is described before it is passed to the LLM or subagents.

ship