The Agent Skills Directory

[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it ingests and analyzes the content of SKILL.md files from external, untrusted GitHub repositories. A malicious repository author could include instructions within these files designed to influence the agent's audit results or evaluation scores.
Ingestion points: The skill clones remote repositories and reads SKILL.md files and repository descriptions from the GitHub API.
Boundary markers: No delimiters or instructions are used to isolate the untrusted external content from the agent's core instructions.
Capability inventory: The agent possesses high-privilege capabilities including shell execution (bash), file system modification (Write, Edit), and GitHub interaction (gh CLI).
Sanitization: The skill performs its own pattern-based 'lightweight audit' and uses an evaluation tool (asm eval), but these do not mitigate instructions embedded within the text that target the LLM's logic.
[COMMAND_EXECUTION]: The skill makes extensive use of the bash tool to perform system and network operations, including cloning repositories, managing git branches, and creating pull requests. It also executes local environment scripts such as bun run preindex and bun scripts/build-catalog.ts.
[EXTERNAL_DOWNLOADS]: The skill is designed to download third-party code from GitHub using git clone for the purpose of indexing. While this is the intended function, it involves downloading untrusted content into the execution environment.

skill-index-updater