The Agent Skills Directory

Data Exposure & Exfiltration (HIGH): The read-file and download-dir-zip commands allow the agent to read any file the VM user has access to, including potential configuration files or credentials.
Privilege Escalation (HIGH): The set-permissions command allows modifying file modes, owners, and groups, which can be used to bypass local access controls or escalate privileges within the VM.
Indirect Prompt Injection (HIGH): This skill has a high vulnerability surface. 1. Ingestion points: read-file in SKILL.md. 2. Boundary markers: Absent. 3. Capability inventory: write-file, set-permissions, and upload-zip in SKILL.md. 4. Sanitization: Absent. The agent could read a malicious file and be coerced into using its write/permission capabilities to compromise the VM.
Unverifiable Dependencies (MEDIUM): The skill relies on an external CLI tool kernel which is not from a trusted source.
Persistence Mechanisms (MEDIUM): The ability to write to arbitrary paths enables the modification of shell profiles (e.g., .bashrc) to maintain access across sessions.
Dynamic Execution (MEDIUM): The upload-zip command extracts archives at runtime, which is a potential vector for zip-slip or payload deployment.

kernel-filesystem-ops