The Agent Skills Directory

[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection through its provided shell scripts (canary-rollout.sh, promote-canary.sh, and analyze.sh).
Ingestion points: External parameters such as $NAMESPACE, $DEPLOYMENT, and $NEW_VERSION are accepted as script arguments.
Boundary markers: There are no boundary markers or instructions to ignore embedded commands within the input data.
Capability inventory: The scripts possess high-privilege capabilities including resource modification via kubectl patch/set, internal network access via curl, and container-level command execution via kubectl exec.
Sanitization: The scripts lack any form of input validation or shell escaping, allowing for potential command injection if the input variables are controlled by an attacker.
[COMMAND_EXECUTION]: The implementation examples rely on subprocess execution of kubectl and curl. Specifically, the use of kubectl exec to run commands inside production containers for metric gathering is a powerful capability that requires strict access controls.
[EXTERNAL_DOWNLOADS]: The canary-monitoring.yaml implementation downloads the curlimages/curl container image and uses the apk package manager to install bc and jq at runtime. These are well-known, trusted utilities and registries.

canary-deployment