The Agent Skills Directory

[PROMPT_INJECTION]: The skill is vulnerable to Indirect Prompt Injection as it processes untrusted data from the repository environment to drive its decision-making logic.
Ingestion points: The skill ingests data from git status, git log, and gh pr view output in scripts/preflight.sh and scripts/backfill-pr.sh. It also reads README.md and AGENTS.md to perform documentation updates.
Boundary markers: There are no explicit boundary markers or instructions to the agent to ignore potentially malicious instructions embedded in commit messages or repository files.
Capability inventory: The skill possesses extensive capabilities including file system modification (CHANGELOG.json, README.md), shell command execution (git, gh, quality gates), and network operations via git push and GitHub PR creation.
Sanitization: In scripts/preflight.sh, the skill constructs JSON output using a shell heredoc (cat <<ENDJSON) and direct variable expansion (e.g., "currentBranch": "$CURRENT_BRANCH"). This allows for schema confusion attacks where a malicious branch name containing double quotes and JSON syntax could manipulate the metadata parsed by the agent, potentially triggering unintended branch creation or quality gate bypasses.
[COMMAND_EXECUTION]: The skill facilitates the execution of project-defined scripts and tools.
scripts/detect-gates.sh automatically identifies and executes commands from the project's package.json (such as lint, test, build). While this is the intended purpose of the skill, it creates a mechanism where an attacker with the ability to modify package.json can achieve command execution when the agent runs the 'ship' task.
The skill is instructed to "attempt to fix the issues and re-run the failing gate," which grants the agent autonomy to execute shell commands based on the output of linting or testing tools.

ship