The Agent Skills Directory

[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection through its ingestion of untrusted external content. 1. Ingestion points: Repository files such as README.md and CONTRIBUTING.md, along with metadata from issues and pull requests (SKILL.md, references/upstream-research-checklist.md). 2. Boundary markers: No markers or explicit instructions to isolate untrusted content were found. 3. Capability inventory: The skill utilizes the Bash tool for shell commands and has file Write permissions (SKILL.md). 4. Sanitization: No filtering or validation of ingested data is implemented.
[COMMAND_EXECUTION]: Instructions in SKILL.md use shell commands with placeholders like '<owner/repo>'. If these inputs are not correctly sanitized by the platform, they could be exploited for command injection. Additionally, the validation script 'scripts/validate.sh' uses 'eval' on internal command strings, which is a risky coding pattern.

pr-research