The Agent Skills Directory

[COMMAND_EXECUTION]: The skill constructs shell commands using variables derived from the git environment and user input without explicit sanitization.
Evidence: In SKILL.md, variables such as {base-branch}, {type_label}, and the PR title are interpolated directly into gh pr create and gh label create command strings.
Risk: If a branch name or PR title contains shell metacharacters (e.g., ;, &&), it could lead to arbitrary command execution on the host system.
[PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface by ingesting and processing untrusted data from the local repository and GitHub environment.
Ingestion points: The skill reads branch names, commit messages via git log, and existing PR metadata via gh pr list to populate PR templates.
Boundary markers: The skill uses a quoted heredoc (cat <<'EOF') when creating the PR body, which is a positive security measure to prevent shell expansion of the body content.
Capability inventory: The skill is authorized to use the Bash tool for git, gh, and Grep operations, and has file-reading capabilities.
Sanitization: No explicit validation or escaping is applied to variables used as CLI flag arguments before they are passed to the shell.

pr