The Agent Skills Directory

[PROMPT_INJECTION]: The skill explicitly instructs the agent to bypass security controls by stating "Use full permissions for the command, not the sandbox" when performing GitHub API operations. This is an attempt to override platform-level security constraints.
[PROMPT_INJECTION]: The skill exhibits a vulnerability to indirect prompt injection. It retrieves and processes untrusted data from external sources (GitHub PR comments) and uses that content in follow-up API requests without sanitization, which could allow malicious instructions embedded in comments to influence agent actions. Ingestion points: Retrieves comment bodies via gh api commands as defined in the SKILL.md workflow. Boundary markers: Absent; there are no instructions to the agent to ignore or delimit potentially malicious instructions within the fetched comment content. Capability inventory: Uses the gh CLI with PATCH methods to modify external data on GitHub. Sanitization: No validation or escaping is applied to the comment body before it is processed and re-submitted.
[COMMAND_EXECUTION]: The skill uses the GitHub CLI (gh api --method PATCH) to perform state-changing operations on external infrastructure based on content retrieved from untrusted sources.

collapse-bot-comments