The Agent Skills Directory

[COMMAND_EXECUTION]: The script scripts/create-milestone.py uses subprocess.run(shell=True) to execute GitHub CLI commands. It constructs command strings by interpolating variables like title, label, and milestone without proper shell escaping. This allows for arbitrary command injection if the input data (often derived from agent-planned tasks) contains malicious shell metacharacters. Although the body field is escaped, other parameters remain vulnerable.\n- [EXTERNAL_DOWNLOADS]: The skill documentation (SKILL.md) requires the installation of multiple third-party GitHub CLI extensions: yahsan2/gh-pm, valeriobelli/gh-milestone, and jwilger/gh-issue-ext. These are external programs provided by unverified authors that execute with full user permissions, posing a supply chain security risk.\n- [PROMPT_INJECTION]: Workflows such as those in commands/fresh/SKILL.md and commands/work/SKILL.md ingest untrusted content from GitHub issues, comments, and PR descriptions using gh issue view. The skill provides no instructions to use boundary markers or to ignore potential prompts embedded in the external content, making the agent susceptible to indirect prompt injection.\n- [COMMAND_EXECUTION]: The commands/init/SKILL.md file uses the !command syntax to perform dynamic context injection during skill initialization. While current commands are focused on repository metadata (e.g., git remote, gh issue list), this mechanism automatically executes shell commands when the skill is loaded and could be exploited to run arbitrary code if manipulated.

ghp