The Agent Skills Directory

[PROMPT_INJECTION]: The skill processes untrusted metadata from GitHub PRs and commit history, which can serve as a vector for indirect prompt injection.
Ingestion points: Fetches PR titles and bodies using gh pr view and reads commit messages via git log.
Boundary markers: Relies on standard git diff3 markers which are structural delimiters and do not specifically guard against natural language instructions embedded in code or PR comments.
Capability inventory: Extensive permissions to modify files, execute shell commands, run package managers, and push to remote repositories.
Sanitization: External PR content is not sanitized or wrapped in instruction-ignoring delimiters before being processed by the agent.
[COMMAND_EXECUTION]: The skill uses multiple shell commands to interact with the repository and external tools.
Executes git, gh (GitHub CLI), and various package managers (npm, yarn, pnpm, cargo, bundle, poetry, composer, go) to resolve conflicts and validate changes.
Invokes a local categorization script: bash ${CLAUDE_SKILL_DIR}/scripts/categorize-conflicts.sh.
[EXTERNAL_DOWNLOADS]: Regeneration of lock files for different language ecosystems involves network requests to official registries.
Commands such as npm install, cargo generate-lockfile, and poetry lock fetch package metadata and dependency information from well-known registries like npmjs.org, crates.io, and pypi.org.
[DATA_EXFILTRATION]: The skill can automatically transmit local repository state to remote servers as part of its automated workflow.
In headless mode, the skill performs a git push to the branch's tracked remote (e.g., GitHub) if an open PR is detected.
The skill identifies and accesses sensitive file patterns (e.g., .env, *secret*, *credential*) during conflict resolution, which may result in these files being staged and pushed if they are part of the merge conflict.

resolve-conflicts