The Agent Skills Directory

[PROMPT_INJECTION]: The skill possesses an indirect prompt injection surface as it is designed to fetch and process attacker-controlled content from GitHub issues, pull requests, and comments.
Ingestion points: Untrusted data enters the context via gh issue view, gh pr view, and gh api calls (SKILL.md).
Boundary markers: The instructions do not specify the use of delimiters or 'ignore' instructions when processing external content.
Capability inventory: The agent can execute subprocesses (ak, gh, git), write to memory files, and create/assign tasks (SKILL.md).
Sanitization: The skill does not explicitly mention sanitizing or escaping the fetched content before interpolation.
Risk Assessment: This is a standard risk for a maintainer bot. The skill mitigates this by using a structured heartbeat workflow and delegating execution to other agents, preventing the maintainer itself from directly running potentially malicious code from a PR.
[COMMAND_EXECUTION]: The skill uses several command-line tools (ak, gh, git) to manage repositories and Kanban boards.
Evidence: SKILL.md contains multiple examples of CLI usage, including ak auth, ak get, ak apply, gh issue view, and git clone.
Risk Assessment: These commands are necessary for the skill's primary function. The skill includes security-positive instructions to use specific bot identities rather than human credentials.
[CREDENTIALS_UNSAFE]: The skill includes explicit instructions to protect sensitive information.
Evidence: The 'Memory Policy' in SKILL.md and references/heartbeat-template.md explicitly forbids the storage of secrets, tokens, private keys, or environment variables in the skill's durable memory files.

ak-maintainer