The Agent Skills Directory

[COMMAND_EXECUTION]: The script scripts/detect_gpu.py uses subprocess.run() with shell=True to execute vendor-specific SMI tools. While the commands themselves are hardcoded, this pattern is a potential vector for command injection if modified.
[REMOTE_CODE_EXECUTION]: The skill pulls and executes Docker container images from multiple external registries (NVIDIA NGC, Huawei Ascend Hub, Metax, Iluvatar, AMD ROCm, BAAI Harbor) and potentially from unverified sources found via web search.
[DYNAMIC_EXECUTION]: The skill features a self-modification rule in SKILL.md (Step 4.5) and references/image-sources.md (Step 3) that instructs the agent to persistently update the skill's own reference files with newly discovered registry URLs from web search results.
[PRIVILEGE_ESCALATION]: The skill constructs docker run commands that mount sensitive host device files (e.g., /dev/davinci*, /dev/mx*, /dev/kfd) and system-level directories (e.g., /usr/local/Ascend, /opt/iluvatar, /opt/hyhal) into the container, which can lead to host compromise if the container image is malicious.
[INDIRECT_PROMPT_INJECTION]: The skill ingests untrusted data from external registry APIs and web search results to dynamically build shell commands and update its own instructions.
Ingestion points: Web Search results and JSON responses from various vendor registries (SKILL.md, references/image-sources.md).
Boundary markers: None used when interpolating external registry tags into docker run commands.
Capability inventory: Full Bash access, file system Write access, and the ability to mount host hardware devices.
Sanitization: Relies on basic jq parsing and grep filtering, which may not be sufficient to prevent injection of malicious arguments into docker commands.

gpu-container-setup