The Agent Skills Directory

[COMMAND_EXECUTION]: The skill provides bash command templates in the verification section that incorporate variables derived from untrusted inputs like security advisories and repository content. Variables such as , , and are used in shell commands without instructions for sanitization or escaping, which could allow a maliciously crafted advisory to achieve command injection.
[PROMPT_INJECTION]: The skill exhibits a surface for indirect prompt injection. Ingestion points: The agent processes untrusted metadata from advisories (title, description) and files from the target repository. Boundary markers: The instructions do not specify the use of delimiters or 'ignore embedded instructions' warnings for external content. Capability inventory: The agent is granted shell access (git, npm) which is parameterized by the ingested data. Sanitization: No validation or escaping of the interpolated data is performed before it is used in command-line arguments.

security-disclosure-triage