The Agent Skills Directory

[COMMAND_EXECUTION]: The skill instructs the agent to interpolate user-provided artifact IDs directly into shell commands (e.g., find docs/ -path "*${ARTIFACT_ID}*"). This allows for command injection if the user input contains shell metacharacters like semicolons or backticks.
[COMMAND_EXECUTION]: The process for creating the GitHub issue body uses an unquoted shell heredoc (cat <<EOF). This causes the local shell to evaluate any command substitutions (such as $(...) or backticks) present within the artifact's markdown content before the issue is sent, enabling potential local code execution from files within the repository.
[PROMPT_INJECTION]: The skill facilitates an indirect prompt injection surface by reading data from local files and user input to be processed by a background agent without adequate sanitization or boundary protection.
Ingestion points: User-supplied ARTIFACT_ID and the contents of markdown files found in the docs/ directory (referenced in SKILL.md).
Boundary markers: Absent for shell command construction; markdown horizontal rules (---) are used in the issue body but do not prevent shell evaluation during construction.
Capability inventory: The skill is granted access to the Bash, Read, Grep, and Glob tools.
Sanitization: No sanitization or escaping mechanisms are implemented for the external content before it is interpolated into shell commands or prompt bodies.

swain-dispatch