The Agent Skills Directory

[CREDENTIALS_UNSAFE] (MEDIUM): The Error Handling section in SKILL.md explicitly directs the configuration of sensitive credentials (SSH keys and access tokens) within {baseDir}/.git/config. Storing secrets in plaintext on the filesystem is a risk when the agent has broad file access.
[DATA_EXFILTRATION] (MEDIUM): The skill is granted Read, Edit, and Glob permissions. These tools can be used to access the {baseDir}/.git/config file mentioned in the instructions, potentially allowing the agent to read and exfiltrate Git credentials or Kubernetes secrets stored in the workspace.
[COMMAND_EXECUTION] (LOW): The skill enables Bash access restricted to kubectl and git binaries. While this is a good use of the least-privilege principle, these binaries are highly powerful and can be used to modify cluster states or push malicious code to repositories.
[INDIRECT_PROMPT_INJECTION] (LOW):
Ingestion points: The skill is designed to read and process manifests from external Git repositories.
Boundary markers: Absent; there are no instructions for the agent to ignore or delimit instructions found within the fetched YAML manifests.
Capability inventory: The agent can execute kubectl commands and Write/Edit files.
Sanitization: Absent; the skill does not define a process for validating or sanitizing external configuration files before they are applied to the Kubernetes cluster.
[REMOTE_CODE_EXECUTION] (LOW): The scripts/README.md file references several automation scripts (e.g., argo_flux_install.sh) that are not included in the provided skill package. If the agent attempts to fetch these from an unverified external source at runtime, it creates a risk of unvetted code execution.

building-gitops-workflows