The Agent Skills Directory

[COMMAND_EXECUTION]: The skill interpolates user-supplied values from the $ARGUMENTS string (such as the base branch name) directly into shell commands. Although variables like $BASE_BRANCH are enclosed in double quotes in commands like git rev-parse --verify "$BASE_BRANCH", this pattern still presents a risk of command injection depending on the agent's parsing logic and the specific shell environment.
[PROMPT_INJECTION]: The skill creates an attack surface for indirect prompt injection by ingesting untrusted data from the local environment. It reads branch names and commit messages (via git branch, git log, and git for-each-ref) and processes them as strings. A malicious repository could use specially crafted branch names or commit metadata to attempt to influence the agent's behavior or output.
Ingestion points: Branch names and commit messages are read from the local repository using git commands in SKILL.md and WORKFLOW.md.
Boundary markers: No explicit delimiters or boundary markers are used to separate repository data from the agent's instructions.
Capability inventory: The skill has access to the Bash tool to execute system commands.
Sanitization: There is no evidence of sanitization or filtering of the repository metadata before it is processed by the agent.

listing-stale-branches