The Agent Skills Directory

[COMMAND_EXECUTION]: The skill uses various command-line tools such as git for repository operations, npm for package management, and op (the 1Password CLI) for handling credentials. It also invokes repository-specific scripts for release automation.
[CREDENTIALS_UNSAFE]: The instructions explicitly direct the agent to retrieve sensitive information from 1Password vaults using the op CLI. While it mandates using scoped service accounts and forbids broad secret enumeration, this capability gives the agent direct access to infrastructure secrets.
[REMOTE_CODE_EXECUTION]: Worker threads are tasked with reproducing issues and running 'live/end-to-end proof' against the real affected boundaries. This involves executing code and tests provided in pull requests. Running arbitrary code from untrusted contributors represents a remote code execution risk.
[PROMPT_INJECTION]: The skill processes untrusted external data from GitHub issues and pull requests, creating an indirect prompt injection surface. The instructions also state to 'Treat the newest thread-local instruction as authoritative over older orchestration plans,' which could be exploited by an attacker providing instructions within a worker thread's context (e.g., in a PR comment) to divert the orchestrator from its original policy. Mandatory evidence for indirect injection: (1) Ingestion points: GitHub issue descriptions and PR discussions; (2) Boundary markers: None specified to isolate untrusted data; (3) Capability inventory: 1Password access, git mutations, and arbitrary command execution; (4) Sanitization: No explicit validation or sanitization process for GitHub content.

maintainer-orchestrator