The Agent Skills Directory

[PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it analyzes external data (file contents, git diffs) to generate text output like pull request descriptions.
Ingestion points: docs/pr.md (processes git status, diff summaries, and commit history).
Boundary markers: Absent. The instructions do not provide delimiters or warnings to the model to ignore potential instructions embedded within the code being analyzed.
Capability inventory: The agent has the ability to execute git commands, including commit and push operations.
Sanitization: Absent. The content is directly interpolated into a prompt using templates/pull-request-template.md.
[DATA_EXFILTRATION]: The skill's file inclusion policy creates a risk of exposing sensitive data by pushing it to a remote repository.
Evidence: shared/file-inclusion-policy.md specifies that the agent should include all modified, staged, unstaged, and untracked files by default.
The 'Ambiguity rule' explicitly states: 'If there is any uncertainty about whether a file should be committed: Include the file.'
This behavior may lead to the accidental commitment of sensitive local configuration or environment files that are not caught by the brief exclusion list or the project's .gitignore.
[COMMAND_EXECUTION]: The skill relies on executing shell commands to perform Git operations.
Evidence: docs/branch.md, docs/commit.md, and docs/pr.md describe workflows involving repository inspection, staging, committing, and pushing to remote origins via shell-based tools.

git-workflow