The Agent Skills Directory

[REMOTE_CODE_EXECUTION]: The daemon script in resources/scripts/github-daemon.mjs invokes the claude CLI using the --dangerously-skip-permissions flag. This explicitly bypasses the LLM's built-in safety prompts and interactive confirmations, allowing code generated from untrusted GitHub issue descriptions and comments to execute automatically on the host system.
[COMMAND_EXECUTION]: The script performs dynamic code loading by using import() to load a local configuration file named .agenTica.js from the current working directory. If an attacker can place a malicious file with this name in the project environment, it will lead to arbitrary code execution within the daemon process.
[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection. It fetches issue bodies and comments from GitHub and embeds them directly into instructions for the LLM without sanitization or escaping. An attacker could craft a GitHub issue that, when picked up by the daemon, overrides the agent's instructions to perform unauthorized actions.
Ingestion points: resources/scripts/github-daemon.mjs (via getReadyIssues and getPRContext functions fetching data from the GitHub API).
Boundary markers: The prompt uses markdown headers and horizontal rules as separators, but lacks explicit instructions to ignore embedded commands within the ingested data.
Capability inventory: The daemon can execute arbitrary shell commands through execSync and spawn, and it grants the AI full system access by skipping CLI permissions.
Sanitization: No sanitization, validation, or filtering of the external GitHub content is performed before it is interpolated into the system prompt.
[COMMAND_EXECUTION]: The daemon frequently uses execSync to run shell commands (gh, git) with arguments partially derived from GitHub issue titles and numbers, which increases the risk of command injection if the input is not strictly validated.

github-auto-implement