The Agent Skills Directory

[COMMAND_EXECUTION]: The skill's instructions for handling user input via $ARGUMENTS involve interpolating these values directly into shell command templates (e.g., uv run ... [--branch BRANCH]). This design creates a risk of command injection if the agent performs literal string substitution of unvalidated input into shell environments.
[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it processes untrusted git metadata (commit messages and diffs) using an AI subagent. An attacker could craft malicious commit messages designed to manipulate the AI's categorization logic or include malicious content in the final release notes.
Ingestion points: The scripts/collect_day_dataset.py script extracts raw git metadata and diffs into the ./daily-releases/ directory for processing.
Boundary markers: The prompt templates in references/synthesis_prompt.md use XML-style <content> tags to delimit untrusted git data for the subagent.
Capability inventory: The skill includes scripts like scripts/publish_daily_release.py that can create, update, and delete git tags and GitHub releases.
Sanitization: The skill does not perform any sanitization or filtering of commit messages or diff content before passing them to the AI subagent.
[DATA_EXFILTRATION]: The skill requires a GITHUB_TOKEN and performs network requests to the GitHub API. While this is necessary for its intended functionality (managing releases), these capabilities could be abused to exfiltrate repository data or manipulate tags if the agent's behavior is subverted.
[COMMAND_EXECUTION]: The shared utility script scripts/daily_releases_lib/daily_releases_lib/github_utils.py allows disabling SSL certificate verification via the GITHUB_SSL_VERIFY environment variable. Disabling SSL verification is a security risk that exposes the agent to man-in-the-middle (MitM) attacks during API communications.

daily-releases