The Agent Skills Directory

[COMMAND_EXECUTION]: The skill instructs the agent to execute GitHub CLI (gh) commands where user-provided inputs such as issue numbers (SUB_NUMBER, PARENT_NUMBER), descriptions, and search keywords are interpolated into shell strings. For example, gh api "repos/OWNER/REPO/issues/SUB_NUMBER" and gh issue list --search "keywords". Without explicit sanitization instructions, these points are vulnerable to command injection if a user provides a crafted payload (e.g., 42; rm -rf /).
[INDIRECT_PROMPT_INJECTION]: The skill reads and processes external data that could be attacker-controlled. Specifically, it reads issue specifications from .dev/pm/specs/*.md and surveys the codebase using Read, Grep, and Glob. Malicious content within these files or code comments could influence the agent's classification, discovery, or drafting phases.
Ingestion points: Reads files via Read, Grep, and Glob tools; parses .dev/pm/specs/*.md files; fetches external content via WebFetch.
Boundary markers: None identified in the instructions to separate untrusted data from agent instructions.
Capability inventory: Significant capabilities including Bash(gh:*), Write, Edit, and WebFetch.
Sanitization: No specific sanitization or validation steps are prescribed for the ingested content before it is used to drive the workflow.
[DATA_EXFILTRATION]: The skill's primary workflow involves reading local repository content and sending it to GitHub as an issue body. While intended, this pattern can be abused to exfiltrate sensitive files, environment variables, or secrets if the agent is successfully injected or directed to include them in the issue-body.md file.

pm