The Agent Skills Directory

[PROMPT_INJECTION]: The skill implements an "Autonomous Mode" that parses requirements and instructions from GitHub issue bodies and comments (found in references/autonomous-mode.md). This creates a vulnerability to indirect prompt injection, where an attacker could provide malicious instructions in an issue that the agent would then follow.
[COMMAND_EXECUTION]: The skill defines a large set of PreToolUse and PostToolUse hooks in the SKILL.md frontmatter. These hooks automatically execute shell scripts located in the $CLAUDE_PROJECT_DIR/hooks/ directory whenever tools like Bash, Write, or Edit are invoked. This represents a significant execution of project-local code triggered by normal agent activity.
[COMMAND_EXECUTION]: In references/autonomous-mode.md, the skill describes a mechanism to "Apply Pre-existing Changes" by executing git apply on diffs or git cherry-pick on branches specified within the issue body. Although it contains a warning to only trust collaborators, this functionality provides a direct path for external code to be merged into the repository through automated agent actions.
[COMMAND_EXECUTION]: The skill utilizes a script scripts/gh-as-user.sh to post comments on GitHub PRs. As stated in SKILL.md and references/review-commands.md, this is specifically designed to bypass bot-detection filters (e.g., Amazon Q Developer) that would ignore comments from the agent's default identity.

autonomous-dev