The Agent Skills Directory

[COMMAND_EXECUTION]: The skill interpolates user-provided {description} variables directly into shell commands, specifically for branch creation (git checkout -b "codex/{description}") and commits (git commit -m "{description}"). This creates a direct command injection surface if the description contains shell metacharacters.
[REMOTE_CODE_EXECUTION]: The instructions state to 'run pr-body.md' after writing generated PR descriptions to it. Executing a file with a .md extension, especially one populated with AI-generated or user-influenced content, is an unsafe pattern that could lead to arbitrary code execution.
[EXTERNAL_DOWNLOADS]: The skill specifies that if checks fail due to missing dependencies, the agent should 'install dependencies and rerun once.' This directive is overly broad and does not restrict the agent to trusted package registries or specific tools, potentially allowing for the installation of malicious software.
[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection (Category 8) because it ingests untrusted user input for the PR description and interpolates it into the workflow without boundary markers or sanitization.
Ingestion points: User-provided {description} (SKILL.md)
Boundary markers: None identified.
Capability inventory: Shell command execution, file writing, network operations via git and gh (SKILL.md)
Sanitization: None identified.

yeet