The Agent Skills Directory

Indirect Prompt Injection (HIGH): The documentation enables an agent to use high-privilege tools such as the Agent Sandbox and GPU management APIs. Evidence Chain: (1) Ingestion points: 176 reference files in the references/ directory. (2) Boundary markers: Absent; the documentation does not guide the agent on establishing safety boundaries for untrusted inputs. (3) Capability inventory: Documents arbitrary code execution via novita-sandbox, system-level file manipulation, and infrastructure lifecycle control. (4) Sanitization: No guidance on sanitizing or validating inputs is provided.
Remote Code Execution (HIGH): The documentation encourages downloading and executing scripts from non-trusted external sources, such as cloning the DocsGPT repository and running setup.sh (references/integrations/docsgpt.md). This pattern is a critical attack vector if an agent attempts to automate the setup process.
Command Execution (HIGH): Multiple reference files (e.g., references/sandbox/commands/overview.md, references/sandbox/quickstart/your-first-sandbox.md) explicitly guide agents on how to execute shell commands and Python code in an external environment. This creates a high risk of malicious command execution via prompt injection.
Privilege Escalation (MEDIUM): Documentation in references/sandbox/mount-cloudstorage.md demonstrates the use of sudo and chmod to manage system permissions. Providing these patterns to an agent increases the potential for misuse.
External Downloads (MEDIUM): The documentation references many third-party packages and repositories (e.g., ai-gradio, DocsGPT) that are not on the developer's trusted source list and require verification of integrity.

novita-docs