The Agent Skills Directory

[PROMPT_INJECTION]: The skill is vulnerable to Indirect Prompt Injection because it processes untrusted data from git commit messages, branch names, and diffs to construct the PR description. An attacker with commit access could include instructions in a commit message that influence the AI's behavior during description generation.
Ingestion points: Git diff statistics, commit logs (git log --oneline), and file change lists extracted in SKILL.md.
Boundary markers: No explicit delimiters or instructions are used to separate git history content from the AI's core instructions.
Capability inventory: The skill can write files to the project root (pr-description.md), read/write local configuration (skills-configs.json), and access the system clipboard via copy-to-clipboard.mjs.
Sanitization: There is no evidence of sanitization or filtering of the commit messages before they are processed by the LLM.
[COMMAND_EXECUTION]: The skill executes local Node.js scripts and system shell commands to perform its workflow.
Clipboard access: scripts/copy-to-clipboard.mjs uses child_process.spawn to invoke platform-specific clipboard tools (pbcopy, clip, xclip, xsel).
Configuration management: scripts/tasks-system.mjs reads and writes skills-configs.json in the user's project directory.
Git operations: The skill relies on multiple git commands (rev-parse, show-branch, merge-base, diff, log) to gather data.

generate-pr-description