The Agent Skills Directory

[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it ingests untrusted CI logs using 'gh run view'. An attacker capable of influencing CI output (e.g., via a pull request) could embed malicious instructions in the logs. * Ingestion points: External CI logs are fetched and passed to sub-agents in SKILL.md (Steps 2 and 3). * Boundary markers: There are no clear delimiters or instructions to ignore instructions within the logs provided to the 'diagnoser' agents. * Capability inventory: The skill can read/write files and execute 'git push' to remote repositories. * Sanitization: Log content is not sanitized or escaped before being included in agent prompts.
[COMMAND_EXECUTION]: The skill performs automated Git operations, including 'git commit' and 'git push', to apply AI-generated fixes. This automation creates a risk where unintended or malicious code changes resulting from an injection could be pushed directly to the repository.
[EXTERNAL_DOWNLOADS]: The skill is installed via a script that downloads the definition file from a public GitHub repository. This is a standard distribution method for such skills.

fix-ci