The Agent Skills Directory

[COMMAND_EXECUTION]: Multiple composite action templates within the templates/actions/ directory, specifically wait-npm-propagation, rust-cross-build, setup-workspace, and compute-version, use direct interpolation of GitHub Action inputs into shell script run blocks using the ${{ inputs. }} syntax. This pattern is vulnerable to command injection. For example, in wait-npm-propagation/action.yml, the line PACKAGES='${{ inputs.packages }}' can be exploited by an input containing a single quote and a shell command. Similar vulnerabilities exist in rust-cross-build/action.yml with the target and packages inputs, and in setup-workspace/action.yml with install-args.
[EXTERNAL_DOWNLOADS]: The workflow templates reference several external GitHub Actions. These include official actions from GitHub such as actions/checkout and actions/setup-node, and community-standard actions from well-known developers such as pnpm/action-setup, dtolnay/rust-toolchain, and Swatinem/rust-cache. These are widely recognized and standard tools for CI/CD pipelines.

rust-node-ci