The Agent Skills Directory

[PROMPT_INJECTION]: The skill instructions in SKILL.md and related documentation contain strong behavioral override directives designed to bypass agent constraints. Specifically, 'Rule 0' establishes a 'fundamental override prerogative' over all other instructions. Additionally, a note addressed to 'Codex/GPT-5.2' explicitly instructs the agent to ignore unexpected changes in the working tree caused by other agents and to 'fool yourself' into believing those changes were its own, potentially interfering with the agent's ability to detect environment tampering.
[PROMPT_INJECTION]: The skill fetches and processes untrusted data from GitHub issues and pull requests via the ru review and ru agent-sweep commands. This creates a surface for indirect prompt injection where malicious instructions embedded in external issue descriptions could be interpreted by the AI agent. The skill attempts to mitigate this risk using structural JSON markers and a command validation block.
Ingestion points: External content from GitHub API (Issues and PRs) enters the agent context in the ru script and associated review templates.
Boundary markers: Present in workflow templates (e.g., RU_COMMIT_PLAN_JSON_BEGIN).
Capability inventory: The orchestrated agent has access to shell commands, git operations, and filesystem writes.
Sanitization: Minimal sanitization (e.g., replacing pipes in titles) is performed on ingested content.
[EXTERNAL_DOWNLOADS]: The primary installation workflow involves downloading a shell script from GitHub and piping it directly to bash (curl -fsSL ... | bash). The installer additionally prompts the user to download and execute an installer for a dependency (ntm) using the same pattern. These resources originate from the skill author's own repositories.
[COMMAND_EXECUTION]: The tool provides an AI agent with the ability to execute autonomous shell commands and git operations to perform maintenance tasks. The script includes a validate_agent_command function designed to block dangerous operations such as sudo or eval, but the core functionality relies on the generation and execution of arbitrary commands in the local environment.

ru