The Agent Skills Directory

[DATA_EXFILTRATION]: The skill accesses highly sensitive cloud and financial data, including AWS Cost Explorer metrics and Shopify GMV. While no direct exfiltration to an attacker-controlled server is detected, it utilizes network-capable tools (curl, WebFetch) and reads credentials from environment variables and doppler. The combination of financial data access and network capability creates a high-sensitivity surface.
[COMMAND_EXECUTION]: Executes several shell commands via aws ce, curl, and jq to process billing data. It also uses dynamic context injection (!) to execute a local binary ${CLAUDE_PLUGIN_ROOT}/bin/ops-external at load time, which runs with the user's privileges and could potentially be a vector if that path is tampered with.
[PROMPT_INJECTION]: The skill processes project data from registry.json and external sources. These sources are treated as trusted inputs for the dashboard generation without explicit delimiters or 'ignore instructions' warnings. This presents an Indirect Prompt Injection surface where a malicious project name or status field in the registry could influence the agent's behavior during rendering.
Ingestion points: Reads project data from ${CLAUDE_PLUGIN_ROOT}/scripts/registry.json and output from ops-external binary.
Boundary markers: None. No delimiters or warnings are used when interpolating external data into the prompt.
Capability inventory: Uses Bash, Write, WebFetch, and aws ce CLI.
Sanitization: No evidence of sanitization or schema validation for data read from the local registry or external APIs before it is rendered into the dashboard template.

ops-revenue