The Agent Skills Directory

[COMMAND_EXECUTION] (HIGH): The mcp_servers configuration (detailed in fleet-config.md) allows for the definition of servers using the stdio type with an arbitrary command and args. The documentation explicitly demonstrates using npx to run packages, which can be exploited to execute arbitrary binaries or scripts on the host system.
[REMOTE_CODE_EXECUTION] (HIGH): The skill allows defining tools using source_code (inline Python) or from_file (external Python scripts). This provides a direct path for executing arbitrary logic within the agent's runtime environment.
[CREDENTIALS_UNSAFE] (HIGH): The application requires the SUPABASE_SERVICE_ROLE_KEY. This is a high-privilege administrative key that bypasses Row Level Security (RLS) and provides full access to the Supabase project, posing a critical risk if mishandled or leaked.
[DATA_EXFILTRATION] (MEDIUM): The folders and from_file capabilities in fleet.yaml allow the agent to ingest arbitrary local files (supporting glob patterns like **/*.md). Combined with network-enabled tools, this creates a surface for sensitive data exposure and exfiltration.
[EXTERNAL_DOWNLOADS] (MEDIUM): The installation instructions utilize npm install lettactl. While standard for Node.js tools, users should be aware that the security of the host depends on the integrity of this external package and its dependencies.
[INDIRECT_PROMPT_INJECTION] (LOW): The skill possesses a broad attack surface for indirect prompt injection due to its heavy reliance on ingesting external data sources.
Ingestion points: System prompts and memory blocks are populated from local files (./prompts/support.md) and Supabase buckets.
Boundary markers: No explicit delimiters or instructions to ignore embedded commands are used when interpolating file content.
Capability inventory: The system can execute Python code and shell commands.
Sanitization: There is no evidence of sanitization or content validation for data retrieved from external files or buckets.

letta-fleet-management