The Agent Skills Directory

[PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface by processing untrusted data from external repositories.
Ingestion points: Target SKILL.md files from external GitHub repositories are cloned and read during Phases 0 and 1.
Boundary markers: Absent; there are no explicit instructions to treat the ingested repository content as untrusted or to use delimiters to prevent instruction hijacking.
Capability inventory: The skill possesses significant capabilities, including git push to personal forks, gh pr create to upstream repositories, and arbitrary bash command execution.
Sanitization: Absent; the content from the external repository is analyzed to generate metrics and pull request descriptions without prior sanitization.
Mitigation: The risk is mitigated by a mandatory Phase 5 checkpoint requiring explicit user approval of the diff and pull request body before any public action is taken.
[COMMAND_EXECUTION]: Uses local shell tools for repository management and workflow automation.
Evidence: SKILL.md contains multiple bash blocks utilizing git (rev-parse, fetch, pull, checkout, add, commit, push) and gh (repo fork, pr create).
Context: These operations are the primary function of the skill, used to manage the contribution workflow for open-source projects.
[DATA_EXFILTRATION]: Performs network operations to GitHub to create public pull requests.
Evidence: Phase 6 utilizes the gh tool to push committed changes to the user's fork and create a pull request on the original upstream repository.
Context: These actions are consistent with the skill's stated purpose; data sent externally consists of proposed skill improvements and metrics generated by the asm eval tool.

skill-upstream-pr