The Agent Skills Directory

[COMMAND_EXECUTION] (HIGH): The orchestrator script (bootstrap.sh) and its modular components (postgresql.sh, docker.sh, etc.) execute arbitrary shell commands with root privileges. The run helper in lib/common.sh executes commands via bash -lc, providing a broad and high-privilege execution surface.
[CREDENTIALS_UNSAFE] (HIGH): The app_user.sh and deploy_keys.sh modules manage persistent access by appending keys to authorized_keys. These scripts ingest public keys from file paths specified in environment variables without verifying the integrity or origin of the key files.
[COMMAND_EXECUTION] (HIGH): The deploy_keys.sh module modifies the system's security policy by writing NOPASSWD entries to /etc/sudoers.d/. This grants the specified agent user permanent, passwordless administrative privileges for a list of powerful system commands.
[PROMPT_INJECTION] (HIGH): The skill implements a text-based 'APPROVE' block as its primary security gate (SKILL.md). This architecture is vulnerable to indirect prompt injection; if the agent processes an external file, change ticket, or log containing a maliciously crafted approval block, it could be tricked into bypassing the user's manual authorization gate.

devops