The Agent Skills Directory

EXTERNAL_DOWNLOADS (HIGH): The skill downloads SSH public keys from an individual GitHub user account and pipes them directly into the root user's authorized_keys file. This grants persistent remote access based on an unverified external source.
Evidence: curl -s https://github.com/fred-drake.keys > ~/.ssh/authorized_keys in SKILL.md.
CREDENTIALS_UNSAFE (HIGH): Configuration templates contain multiple hardcoded SSH public keys. Any server provisioned using these templates will automatically grant access to the owners of these specific keys.
Evidence: users.users.default.openssh.authorizedKeys.keys in modules/nixos/host/<hostname>/configuration.nix contains three hardcoded keys.
DATA_EXFILTRATION (HIGH): The workflow includes a step that copies a private infrastructure key (id_infrastructure) from the local machine to the newly provisioned remote host via SCP, exposing sensitive local credentials.
Evidence: scp ~/.ssh/id_infrastructure default@<NEW_IP>:~/id_infrastructure in SKILL.md.
COMMAND_EXECUTION (MEDIUM): The skill frequently executes shell commands on the remote Proxmox host and within containers using ssh and pct exec, which provides a high degree of control over the target system.
Evidence: Usage of ssh $PROXMOX_SERVER "pct create..." and ssh $PROXMOX_SERVER "pct exec..." in SKILL.md.
PROMPT_INJECTION (LOW): The skill is susceptible to indirect prompt injection because it interpolates user-provided variables (hostname, IP, container ID) directly into shell commands without sanitization or boundary markers.
Ingestion points: SKILL.md (Step 1: Gather Requirements).
Boundary markers: Absent.
Capability inventory: ssh, scp, colmena, pct execution, and file system modifications.
Sanitization: Absent.

provision-nixos-server