The Agent Skills Directory

[COMMAND_EXECUTION]: The skill makes extensive use of shell commands including git, cp, jq, and npx to manage file lifecycle and repository state. These commands operate on local paths like .agents/skills/ and a target repository path, granting the agent significant control over the filesystem and source code history.
[EXTERNAL_DOWNLOADS]: The instruction executes npx skills add, which triggers a download and execution of the skills package from the npm registry. The use of a generic package name without a version or scope increases the risk of a supply chain attack or the execution of an unintended package.
[DATA_EXFILTRATION]: The skill is designed to perform git push operations to a remote repository (specified by $AI_SKILLS_PATH). While this is the intended functionality for publishing skills, it constitutes a transfer of local content to an external remote system.
[PROMPT_INJECTION]: The skill processes untrusted content from SKILL.md files located in .agents/skills/. This exposes the agent to indirect prompt injection if a skill being processed contains malicious instructions designed to influence the agent or the code-reviewer tool.
Ingestion points: Processes SKILL.md files in Step 2 and Step 4.
Boundary markers: None specified for the content of the skills being reviewed.
Capability inventory: Includes file system access (cp), repository management (git), and remote execution (npx).
Sanitization: The skill includes a mitigation step by invoking a code-reviewer agent to inspect the changes before they are committed and pushed.

publish-skill