The Agent Skills Directory

[CREDENTIALS_UNSAFE]: The skill instructions and validation scripts programmatically access the macOS keychain using the security find-internet-password command to retrieve a GitHub token. This practice exposes sensitive system-level credentials to the agent's execution environment.
[COMMAND_EXECUTION]: The skill frequently executes shell commands via the Bash tool and Python's subprocess module. It uses these to access the system keychain, manage background mining processes, and perform file system checks.
[PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it ingests untrusted data (PR comments from GitHub) and uses it to generate instructional content (coding rules). An attacker could place malicious instructions in a PR comment that the agent might then adopt as a standard or execute during the generation process.
Ingestion points: PR comments are extracted from GitHub and loaded from mined_data/{output}.json in SKILL.md (Phase 4).
Boundary markers: There are no markers or instructions provided to the agent to treat the mined comment data as untrusted or to ignore embedded commands.
Capability inventory: The skill has access to powerful tools like Bash, Write, Edit, and Skill, and it performs shell command execution.
Sanitization: The skill does not perform any sanitization, validation, or escaping of the comment text before it is used to generate the final rules document.

pr-mining-coordinator