The Agent Skills Directory

[Data Exposure & Exfiltration] (MEDIUM): The skill documents a read_file filter for Jinja2 templates. This capability allows reading arbitrary files from the host system during the plan rendering process, which could be exploited to access sensitive information if file paths are derived from untrusted input.
[Unverifiable Dependencies & Remote Code Execution] (LOW): The github_version filter initiates network requests to GitHub to retrieve release information. While GitHub is a trusted source per [TRUST-SCOPE-RULE], it introduces an external dependency during rendering.
[Dynamic Execution] (MEDIUM): The skill details how to use cmds and files parameters to run shell commands and inject files into virtual machines. This represents a capability for script generation and execution on provisioned resources.
[Indirect Prompt Injection] (LOW): The reliance on Jinja2 for rendering plans using external parameters creates an injection surface. Ingestion points: Parameter files and CLI flags. Boundary markers: None. Capability inventory: Host file reading, network access, and VM command execution. Sanitization: None specified.

kcli-plan-authoring