The Agent Skills Directory

[PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection due to the ingestion of untrusted data from external GitHub repositories.
Ingestion points: The skill fetches and processes README files, source code samples, commit messages, and pull request reviews from any repository provided as input, as seen in references/code-level-analysis.md and references/subagent-dispatch-guide.md.
Boundary markers: No explicit delimiters or instructions are provided to the subagents to distinguish between the evaluation instructions and the content of the fetched files, which may contain malicious prompts designed to manipulate the agent's behavior.
Capability inventory: The agent uses gh api and curl to interact with the environment and external services.
Sanitization: There is no evidence of sanitization or filtering of the fetched content before it is presented to the language model for qualitative assessment.
[COMMAND_EXECUTION]: The skill instructions describe an unsafe pattern that allows for potential shell command injection.
Evidence: In references/rest-unique-signals.md, a package name is extracted from an untrusted package.json file and subsequently used in a shell command: curl -s "https://api.npmjs.org/downloads/point/last-week/$PKGNAME".
Risk: Since the $PKGNAME variable is derived directly from an untrusted file without sanitization or quoting, a malicious repository owner could provide a name containing shell metacharacters (e.g., backticks or dollar-parenthesis) to execute arbitrary commands on the agent's system.
[EXTERNAL_DOWNLOADS]: The skill performs network requests to an external service to gather metrics.
Evidence: It uses curl to query the official npm registry API (api.npmjs.org) for package download data.
Note: This request targets a well-known service and is consistent with the skill's stated purpose of repository evaluation.

run-github-repo-evaluate