The Agent Skills Directory

[COMMAND_EXECUTION]: The notification helper script scripts/notify.sh is vulnerable to AppleScript injection. The script interpolates the $MESSAGE variable directly into an AppleScript string literal executed via osascript -e. Because $MESSAGE contains CI check names fetched from GitHub (which are attacker-controlled), a malicious check name like name\"; do shell script \"...\" can execute arbitrary commands on the host system.
[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection due to the handling of external data. Ingestion points: Untrusted data is ingested from GitHub via gh pr checks and gh run list in scripts/poll-pr-checks.sh and scripts/poll-runs.sh. Capability inventory: The skill possesses the ability to execute shell scripts in the background and interact with the macOS notification system. Sanitization: There is no evidence of sanitization, filtering, or escaping for the data retrieved from GitHub before it is processed or presented. Boundary markers: The skill lacks delimiters or instructions to the agent to ignore any embedded commands within the PR titles or check names.

watch-ci