Opus finding
`Determine skill` step writes empty output for unknown event types but README/work step depends on this silently
lowmaintainabilitymedium
- .github/workflows/aeon.yml:80-88
If the workflow is triggered by an event other than workflow_dispatch/workflow_call/issues (none currently exist, but the top-level only filters by `github.event.label.name == 'ai-build'` for issues), no `name` is emitted. The next step then logs 'Nothing to do' and all subsequent steps are gated. That's fine, but the issues handler unconditionally uses skill 'feature' regardless of which label fired — yet the job-level `if` already filtered to label=='ai-build', so any other label triggers a no-op run. Worse, `inputs.skill` for workflow_dispatch is interpolated directly via `${{ inputs.skill }}` into a bash heredoc, which means a value containing newlines or `$(...)` from a malicious dispatcher could write multi-line content into GITHUB_OUTPUT or execute commands. Same risk for `inputs.var` interpolations throughout the file.
Recommendation
Pass `inputs.skill` and `inputs.var` via env vars (as is done for SKILL_VAR in the prefetch step) instead of `${{ inputs.x }}` template interpolation in shell. Validate `inputs.skill` against `^[a-zA-Z0-9_-]+$` before using.