The Agent Skills Directory

[CREDENTIALS_UNSAFE]: The skill instructs the agent to read the content of ~/.config/ai-todo/credentials.json to check for existing credentials. Accessing files that contain authentication tokens or secrets can lead to their accidental exposure in the agent's output logs or history.
[EXTERNAL_DOWNLOADS]: The skill requires the installation of the ai-todo-cli package globally via the NPM registry. While this is a vendor-provided tool necessary for the skill's functionality, downloading and installing software from external registries is a notable operation.
[COMMAND_EXECUTION]: The skill executes various CLI commands and relies on dynamic discovery (ai-todo --help) to identify available operations. This means the specific commands and their structures are determined at runtime by the vendor's remote server (https://ai-todo.stringzhao.life).
[PROMPT_INJECTION]: The skill is designed to automatically trigger actions based on data from external, potentially untrusted sources such as git commit messages, PR descriptions, and deployment results, which constitutes an indirect prompt injection surface.
Ingestion points: User mentions of tasks, git commit/push messages, deployment logs, PR metadata, and brainstorming session outcomes (found in SKILL.md under 'Workflow Patterns').
Boundary markers: Absent. The skill does not specify any delimiters or instructions to the agent to ignore potentially malicious embedded commands within these data sources.
Capability inventory: Shell command execution via the ai-todo CLI (including task creation, updates, and logging), package installation via npm, and file reading via cat.
Sanitization: Absent. No mention is made of filtering or escaping content from git logs or deployment statuses before it is processed by the agent.

ai-todo