The Agent Skills Directory

[COMMAND_EXECUTION]: The provided webhook-handler.js example (SKILL.md) contains a direct command injection vulnerability. It uses execSync to run shell commands (line 226) that concatenate a command string derived directly from a GitHub comment (event.comment.body) without any validation or sanitization. This allows an attacker to execute arbitrary system commands by posting a specifically crafted PR comment (e.g., /swarm ; rm -rf / ;).- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it processes untrusted data from external sources (GitHub PRs) and uses it to drive agent workflows.
Ingestion points: Pull Request titles, bodies, and comments are fetched via the GitHub CLI and webhooks (SKILL.md lines 38, 154, 219).
Boundary markers: No delimiters or instructions are used to separate untrusted data from the system's operational instructions.
Capability inventory: The skill has access to the local shell, GitHub CLI (gh), and the ruv-swarm orchestrator, enabling it to read files, modify PRs, and perform network requests.
Sanitization: The skill does not implement validation or escaping for the data retrieved from GitHub before processing it.- [EXTERNAL_DOWNLOADS]: The workflow relies on npx ruv-swarm (SKILL.md lines 20, 44, 226), which dynamically downloads and executes packages from the npm registry. This creates a dependency on an external repository that could be subject to supply chain attacks or typosquatting if the package name or registry is compromised.

github-code-review