The Agent Skills Directory

[COMMAND_EXECUTION]: The Execution block in SKILL.md passes user-supplied arguments to a bash script without quoting: bash "${SKILL_DIR}/scripts/billing-summary.sh" $ARGS. This allows for arbitrary command injection if an attacker provides a string containing shell metacharacters such as semicolons, backticks, or pipes.\n- [COMMAND_EXECUTION]: Use of dynamic context injection (!git remote get-url origin) in SKILL.md triggers an automatic shell command execution when the skill is loaded, which could be abused if the repository environment is compromised or if the pattern is extended to more sensitive commands.\n- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection as it ingests data from external GitHub API endpoints and local workflow files without using delimiters or sanitization. This data could contain malicious instructions that the agent might inadvertently execute.\n
Ingestion points: GitHub API responses for billing and runs, and local .github/workflows/ file content.\n
Boundary markers: Absent. The instructions do not wrap external data in markers or include directives to ignore embedded commands.\n
Capability inventory: The skill has the ability to execute shell commands via bash and the gh CLI.\n
Sanitization: None. The script directly processes and displays output from API calls and local file analysis without validation.

finops-overview