The Agent Skills Directory

[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection as it processes untrusted user input (vulnerability logs) and extracts variables that influence subsequent agent actions.
Ingestion points: Vulnerability entries in Vanta format are provided by the user and parsed in SKILL.md.
Boundary markers: The instructions do not define delimiters or specific warnings to ignore embedded instructions within the vulnerability data.
Capability inventory: The skill uses high-privilege tools including git, gh (GitHub CLI), and package managers (npm, yarn, pnpm, bundle) to modify files and perform network operations.
Sanitization: The skill lacks instructions to escape or sanitize the extracted repo_name, package_name, or branch_name before using them in shell commands.
[COMMAND_EXECUTION]: The skill dynamically generates and executes shell commands using variables extracted from untrusted user input.
Evidence: In Phase 2, the agent is instructed to use cd <workspace_root>/<repo_name> and yarn why <package_name>, where these variables are derived directly from the parsed input without validation.
Evidence: The PR body creation in Phase 3 uses a subshell interpolation gh pr create ... --body "$(cat <<'EOF' <body> EOF )" which could be susceptible to breakout if the body content contains the heredoc delimiter 'EOF' followed by shell commands.

fix-vulnerabilities