The Agent Skills Directory

[PROMPT_INJECTION]: The skill has a risk surface for indirect prompt injection as it ingests and processes untrusted data from the repository's history, including commit messages, branch names, and diffs.
Ingestion points: External data enters the agent context via git log, git diff, and git status in SKILL.md and resources/onboarding-risk-signals.md.
Boundary markers: The instructions do not define explicit delimiters or include warnings to ignore instructions that may be embedded within the processed git history.
Capability inventory: The skill is capable of modifying the repository state through git commit, git add, and git worktree commands.
Sanitization: No validation or sanitization is performed on the data retrieved from the repository before it is interpreted by the agent.
[COMMAND_EXECUTION]: The skill utilizes several local shell and Git commands (git commit, git status, rg, sort) to perform software configuration management tasks. These commands are appropriately scoped to the local repository environment.
[SAFE]: The skill implements positive security controls, such as a forbidden_patterns list in config/commit-config.yaml to prevent the staging of sensitive files like .env, .pem, and credentials.json. It also explicitly instructs the agent never to use bulk staging commands like git add . without permission.

oma-scm