The Agent Skills Directory

[COMMAND_EXECUTION]: The documentation for jj bisect run (in references/bisect.md) and jj util exec (in references/util.md) describes subcommands that allow the execution of arbitrary shell commands through the version control interface.
[COMMAND_EXECUTION]: The jj file chmod command (in references/file.md) is documented, which enables changing the executable bits of files within a repository.
[COMMAND_EXECUTION]: Examples in several reference files (e.g., references/diff.md) demonstrate piping the output of jj commands to shell utilities like xargs and perl, highlighting the potential for command-line manipulation.
[PROMPT_INJECTION]: The skill presents an attack surface for indirect prompt injection due to its interaction with external Git repository data.
Ingestion points: The agent reads untrusted data from the repository via commands like jj log, jj show, and jj diff (references/log.md, references/show.md, references/diff.md).
Boundary markers: There are no instructions or boundary markers to prevent the agent from treating instructions found in commit messages or diffs as commands.
Capability inventory: The skill provides capabilities for arbitrary command execution (jj util exec), network operations (jj git push), and permission changes (jj file chmod).
Sanitization: There are no guidelines for sanitizing or validating repository content before it is processed by the agent.

jj-vcs