The Agent Skills Directory

[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection (Category 8). It ingests untrusted data from external CI logs and pull request diffs which are then processed by a subagent to generate code patches.
Ingestion points: Data enters the context via scripts/ci-autofix/log-fetch.sh, which captures GitHub Actions logs and PR diffs.
Boundary markers: The skill instructions suggest wrapping content in <log_and_diff_content> tags when delegating to the manager-quality subagent, which provides some structural separation but does not prevent adversarial instructions within the logs from influencing the subagent's output.
Capability inventory: The skill can execute arbitrary Bash commands, perform Git operations (commit and push to remote branches), and delegate tasks to other agents.
Sanitization: The skill uses jq to parse structured JSON handoff data, but there is no evidence of sanitization or filtering for the natural language content within the CI logs themselves before they are passed to the LLM subagent.
[EXTERNAL_DOWNLOADS]: The skill fetches content from external URLs.
The log-fetch.sh script downloads log data and diffs from GitHub (github.com) using provided logUrl and runId parameters. This is a standard operation for CI automation and targets a well-known service.
[COMMAND_EXECUTION]: The skill frequently executes local shell scripts and CLI tools to manage the auto-fix workflow.
It invokes scripts/ci-autofix/log-fetch.sh, scripts/ci-autofix/classify.sh, and scripts/ci-watch/run.sh.
It performs Git operations including git add, git commit, and git push. The skill explicitly forbids force-pushing as a safety invariant.

moai-workflow-ci-autofix