The Agent Skills Directory

[PROMPT_INJECTION]: The skill is susceptible to Indirect Prompt Injection. It fetches issue data, including titles, descriptions, and comments, from external trackers and incorporates them directly into the instructions for implementation sub-agents. A malicious actor could craft an issue with instructions designed to hijack the sub-agent's behavior, bypass constraints, or perform unauthorized actions.
Ingestion points: Issue data is retrieved via gh issue view and glab issue view (SKILL.md).
Boundary markers: The instructions lack strict delimiters or 'ignore embedded instructions' warnings for the ingested issue body.
Capability inventory: The skill dispatches sub-agents with extensive capabilities, including shell execution, file system access, and git operations.
Sanitization: Untrusted data from the tracker is used verbatim without escaping or validation.
[COMMAND_EXECUTION]: The skill utilizes shell variables and command substitution (e.g., $(...)) to interact with CLI tools and APIs. This pattern may be vulnerable to command injection if metadata provided by the issue tracker, such as repository paths or issue titles, contains shell metacharacters or malicious payloads. Furthermore, the skill explicitly instructs the agent to bypass human review (e.g., 'bugs are fixed immediately without prompting for confirmation'), which reduces oversight and increases the potential impact of any malicious instructions or execution errors.

work-on-issues