The Agent Skills Directory

[COMMAND_EXECUTION]: The skill requests Bash permissions for kubectl and curl. The kubectl tool provides high-level administrative access to Kubernetes clusters, which could be misused to extract secrets, access environment configurations, or modify workloads.
[EXTERNAL_DOWNLOADS]: The inclusion of Bash(curl:*) allows the agent to retrieve content from any external URL. This permission can be exploited to download and execute malicious scripts or payloads from untrusted sources.
[DATA_EXFILTRATION]: Given the skill's purpose of handling sensitive contact and CRM records (names, emails, phones) and the availability of the curl tool, there is a potential vector for exfiltrating this data to unauthorized external endpoints.
[PROMPT_INJECTION]: The skill processes data from external CRM systems (Ingestion points: scripts/migration-assessment.ts and src/migration/validation.ts). It lacks explicit boundary markers or instructions to ignore embedded commands. This creates a surface for indirect prompt injection where malicious data within CRM records could influence the agent's behavior, leveraging its high-privilege tools (Capabilities: kubectl, curl, Write, Edit). No evidence of robust output sanitization for untrusted data was found.

apollo-migration-deep-dive