The Agent Skills Directory

[COMMAND_EXECUTION]: The skill executes system commands (open, xdg-open, cmd.exe) using URL strings extracted from local project files. If these files contain malicious payloads with shell metacharacters (e.g., ;, &, |), it could lead to arbitrary command injection. \n- [DATA_EXFILTRATION]: The skill performs automated scanning of sensitive development files, including CI/CD configurations (.github/workflows/*.yml, .gitlab-ci.yml, Jenkinsfile) and local scripts. While the stated goal is URL extraction, automated access to these files provides a surface for harvesting sensitive deployment metadata. \n- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection. It ingests data from untrusted sources within the project workspace (such as README.md or scripts/) and uses that information to influence the agent's actions. \n
Ingestion points: Multiple project files including README.md, docs/deploy.md, scripts/*, and CI/CD configs. \n
Boundary markers: Absent. No explicit instructions to ignore or treat content as untrusted. \n
Capability inventory: Execution of shell commands in Phase 5 to open URLs. \n
Sanitization: Limited to a prefix check for http:// or https://, which does not mitigate command injection risks via shell metacharacters.

go-deploy