The Agent Skills Directory

[COMMAND_EXECUTION]: The workflow in SKILL.md specifies that the agent should 'run pr-body.md' after writing LLM-generated content to it. Executing a file created from model output is a critical security risk, as it allows for arbitrary code execution if the content contains script commands or is executed via a shell interpreter.
[EXTERNAL_DOWNLOADS]: The instruction to 'install dependencies' when checks fail is unbounded and lacks verification. This allows the agent to execute arbitrary package manager commands (e.g., npm install, pip install), which can result in the execution of untrusted code from external registries if the repository's configuration files are compromised.
[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection (Category 8) as it processes local repository data to generate PR descriptions. Malicious instructions within the codebase could manipulate the agent's output, posing a heightened risk given the instruction to 'run' the resulting file.
Ingestion points: Reads local file deltas and repository state (SKILL.md).
Boundary markers: None present to delimit untrusted data from the prompt.
Capability inventory: Access to git, gh CLI, and arbitrary shell-based package installation commands (SKILL.md).
Sanitization: No validation or sanitization of input data is specified before processing.

git-yeet