The Agent Skills Directory

[EXTERNAL_DOWNLOADS] (MEDIUM): The certificate generation guide suggests downloading binaries directly from GitHub and installing them to system paths.
Evidence: 'references/certificate-generation.md' contains commands to download 'cfssl' from 'cloudflare' and 'mkcert' from 'FiloSottile' using 'curl' and 'wget', then moving them to '/usr/local/bin' using sudo.
Risk: Neither 'cloudflare' nor 'FiloSottile' are in the trusted repository/organization list. Downloading and executing unverified binaries is a significant security risk, especially when suggested for automated environments.
[COMMAND_EXECUTION] (LOW): Scripts process external input for hostnames and domains without thorough sanitization.
Evidence: 'scripts/check-cert-expiry.sh' and 'examples/self-signed/generate.sh' use command-line arguments directly in 'openssl' calls and file-writing operations.
Risk: Although specific shell injection was not found due to quoting, the lack of input validation for arguments passed to system commands can lead to unintended tool behavior.
[PROMPT_INJECTION] (LOW): The skill possesses surface area for indirect prompt injection via unvalidated hostname and domain inputs.
Ingestion points: CLI arguments in 'scripts/check-cert-expiry.sh' and 'examples/self-signed/generate.sh'.
Boundary markers: Absent.
Capability inventory: File writing ('cat'), network connectivity ('openssl s_client'), and local command execution ('openssl x509').
Sanitization: Absent; arguments are used directly in shell commands.

implementing-tls