The Agent Skills Directory

[COMMAND_EXECUTION]: The scripts/launch_tpu.sh script performs dynamic template rendering, which can lead to unintended command or configuration injection.
Evidence: The script uses sed to inject the $ACCELERATOR and $NAME shell variables into the tpu_resource.sky.yaml template. While $NAME is sanitized, $ACCELERATOR is used without validation, potentially allowing YAML structure injection if malicious strings containing newlines or YAML syntax are provided.
Evidence: The resulting rendered file is directly executed via sky launch "$TEMP_YAML".
[COMMAND_EXECUTION]: The skill documentation provides the agent with the ability to execute a wide range of shell commands on both the local machine and remote TPU clusters.
Evidence: Commands include sky exec, ssh, rsync, and complex tmux session management (tmux send-keys) which provide high-privilege access to remote infrastructure.
[DATA_EXFILTRATION]: The skill requires access to sensitive local files for authentication and data transfer.
Evidence: SKILL.md instructs the agent to access the SSH private key at ~/.ssh/sky-key for cluster connectivity and rsync operations.
[PROMPT_INJECTION]: The skill possesses a surface for indirect prompt injection due to its reliance on processing remote execution output.
Evidence: Ingestion points: The agent is instructed to read remote status via sky status and capture live server/client logs using tmux capture-pane.
Evidence: Boundary markers: No delimiters or instructions to ignore embedded commands within logs are provided in the prompt templates.
Evidence: Capability inventory: The agent has the capability to run subprocesses (sky), write to the local filesystem (.cluster_name_tpu), and manage remote sessions via SSH.
Evidence: Sanitization: There is no evidence of sanitization or filtering applied to the remote output before it is processed by the agent.

sglang-jax-skypilot-dev