The Agent Skills Directory

[PROMPT_INJECTION]: The skill explicitly instructs the agent to operate in a "non-interactive, fully automated" mode, specifically ordering it to "Do NOT ask for confirmation at any step" and "Never ask for trivial confirmations." This suppresses the standard human-in-the-loop safety checks for impactful actions like pushing code or creating pull requests.
[COMMAND_EXECUTION]: The workflow relies on the Bash tool to execute arbitrary local project scripts (pnpm run build/lint/test) and system-level commands (git, gh). This assumes the integrity of the project's own configuration and scripts, which the agent executes automatically.
[DATA_EXFILTRATION]: The skill is designed to transmit local source code, commit history, and internal project metadata to external git hosting providers via git push and gh pr create operations.
[PROMPT_INJECTION]: The skill possesses a significant indirect prompt injection surface by ingesting and processing untrusted data from the local environment and git history.
Ingestion points: Commit messages retrieved via git log, file changes from git diff, and project management files found in ~/.claude/plans or ~/.gstack/projects.
Boundary markers: Absent. The skill does not provide the agent or its subagents with delimiters or instructions to treat this external data as untrusted content.
Capability inventory: The agent can execute shell commands (Bash), modify the filesystem (Edit, Write), and orchestrate additional autonomous sub-tasks (Agent).
Sanitization: No validation, escaping, or filtering of the ingested content is performed before it is used to influence the agent's logic or generate the final pull request descriptions.

ship