The Agent Skills Directory

[PROMPT_INJECTION]: The skill is designed to process external untrusted data (GitHub releases, discussions, and RSS feeds) which represents a potential indirect prompt injection surface. However, the skill implements strong mitigations:
Ingestion points: Data is fetched in fetch_releases.py, fetch_discussions.py, and fetch_rss.py from external GitHub repositories and RSS URLs defined in sources.json.
Boundary markers: The SKILL.md file contains explicit security instructions to the agent to treat all fetched content as untrusted and to disregard any instructions or overrides found within that data.
Capability inventory: The skill uses subprocess.run to invoke the GitHub CLI and urllib.request for fetching RSS feeds.
Sanitization: The scripts/_common.py file includes a sanitize_untrusted_text function that proactively redacts lines containing common prompt injection patterns (e.g., "ignore previous instructions", "system override") before the text is processed by the agent.
[COMMAND_EXECUTION]: The skill uses the subprocess.run module in scripts/_common.py to execute GitHub CLI (gh) commands. This is a legitimate requirement for the skill's purpose. The implementation correctly passes arguments as a list and does not use shell=True, which protects against shell injection vulnerabilities.
[EXTERNAL_DOWNLOADS]: The skill fetches data from external sources including GitHub and various framework blogs.
Source Evaluation: The downloads target well-known open-source organizations (e.g., Angular, React, Vue, Svelte) and established framework websites.
Security Controls: The fetch_rss.py script includes a custom _SafeRedirectHandler that strictly enforces HTTPS for all redirects, mitigating potential SSRF or data interception risks. Additionally, a 5MB size limit is enforced on all feed downloads to prevent resource exhaustion attacks.

track-framework-updates