The Agent Skills Directory

[COMMAND_EXECUTION]: The skill executes multiple bash commands to perform its core functions, including git operations (diff, log, commit), file system searches (grep, find), and network requests via curl to interact with the local application under test. These commands are consistent with the tool's stated purpose of providing a QA flow.
[PROMPT_INJECTION]: An indirect prompt injection surface exists as the skill processes data from several untrusted or semi-trusted sources. An attacker who can influence these sources (e.g., via a malicious commit message or by poisoning a log file) could potentially inject instructions that the agent might follow.
Ingestion points: Git commit messages (git log), project metadata files (TODOS.md), application logs (log/development.log), and API responses from the application under test.
Boundary markers: Absent; the skill does not wrap these data inputs in delimiters or provide explicit instructions to the agent to ignore embedded commands.
Capability inventory: The skill possesses significant capabilities, including the ability to write and edit source files and execute git commits.
Sanitization: No sanitization or validation of the ingested data is performed before it is processed by the agent.
[REMOTE_CODE_EXECUTION]: An automated scan alert regarding curl piped to python3 was manually reviewed. The analysis confirmed that the actual command used in the skill is python3 -m json.tool, which is a standard library module used for formatting JSON data. This does not constitute a remote code execution risk as the input is not executed as a script.

stacksmith-qa