The Agent Skills Directory

[COMMAND_EXECUTION]: The skill executes shell scripts located within the repository, such as scripts/build-worker-image.sh and event-router.sh, based on file-matching rules. This allows for the execution of code that could be modified in a malicious PR.
[COMMAND_EXECUTION]: The executor-verify action runs bash -n on scripts identified in the PR's changed files list. While this is a syntax check, it involves processing paths derived from untrusted PR data.
[PROMPT_INJECTION]: The skill ingests untrusted data from GitHub PRs, specifically the PR_TITLE and CHANGED_FILES, and interpolates them into shell command outputs and Markdown reports without sanitization or boundary markers.
[COMMAND_EXECUTION]: PR metadata and configuration from CLAUDE.md are used to build shell commands and summaries. Maliciously crafted PR titles or file names containing shell-sensitive characters could potentially interfere with command execution logic, such as the printf '%b' expansion in the summary step.
[PROMPT_INJECTION]: Mandatory Evidence Chain for Indirect Prompt Injection:
Ingestion points: PR metadata (title, file list) via gh pr view and team configuration from CLAUDE.md.
Boundary markers: None. Untrusted data is directly echoed or written to files.
Capability inventory: Bash (shell execution), Write (report generation), Read (config and PR data).
Sanitization: None. The skill processes external metadata as raw strings.

post-deploy