The Agent Skills Directory

[COMMAND_EXECUTION]: The skill uses the bash tool to spawn child processes with claude -p using the --dangerously-skip-permissions flag. This flag enables the worker to execute shell commands and modify the filesystem without user review, creating a risk if the worker is compromised by the input data.
[COMMAND_EXECUTION]: The skill uses the --admin flag with gh pr merge in Phase 3. This allows the agent to bypass repository branch protection rules and administrative constraints.
[PROMPT_INJECTION]: The skill uses authoritative directives such as 'CRITICAL INSTRUCTIONS' and 'You are headless' to override the AI's standard operating procedures and safety guardrails.
[PROMPT_INJECTION]: The skill demonstrates a significant surface for Indirect Prompt Injection.
Ingestion points: Untrusted data from GitHub issue titles and bodies is fetched via gh issue view in Phase 0.4 and interpolated into the worker prompt.
Boundary markers: No delimiters or safety instructions are used to separate the untrusted data from the system instructions.
Capability inventory: The skill uses the gh CLI for repo management and spawns child workers with full local access via claude -p.
Sanitization: There is no evidence of sanitization or validation of the content retrieved from GitHub issues before it is used to build the execution prompt.

build-train