The Agent Skills Directory

[COMMAND_EXECUTION]: The _execute_hooks method in gitops/engine.py allows for the execution of arbitrary shell commands by using shell=True on strings provided in the application configuration. This mechanism enables the execution of unvalidated system commands if the configuration data is sourced from untrusted Git repositories.- [REMOTE_CODE_EXECUTION]: The skill implements a _init_flux method in gitops/engine.py that downloads and executes an installation script from FluxCD's official domain using the curl | bash pattern.- [EXTERNAL_DOWNLOADS]: In gitops/engine.py, the skill fetches ArgoCD installation manifests directly from the project's official GitHub repository during the initialization process.- [COMMAND_EXECUTION]: The skill classes TerraformBackend, PulumiBackend, and GitOpsEngine perform numerous subprocess calls to system binaries including terraform, pulumi, and kubectl. This creates an expansive attack surface where unvalidated configuration parameters could lead to command injection.- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection as it processes external configurations that directly influence system-level command execution.
Ingestion points: Untrusted data enters the agent context through Application and InfrastructureConfig definitions in gitops/engine.py and iac/multicloud/manager.py.
Boundary markers: Absent. The skill does not utilize delimiters or safety instructions to separate legitimate configuration data from potentially malicious embedded instructions.
Capability inventory: The skill has extensive capabilities, including arbitrary shell execution (_execute_hooks), network communication via aiohttp, and system-wide infrastructure modification through IaC tools.
Sanitization: There is no evidence of validation or sanitization of external input strings before they are used in subprocess calls or shell hooks.

cloud-native