The Agent Skills Directory

[EXTERNAL_DOWNLOADS] (MEDIUM): The skill installs several packages from public registries (NPM and PyPI) that are not within the trusted source scope.
Evidence: pip install terraform-local, pip install pulumi-local, npm install -g aws-cdk-local, and npm install -g aws-cdk in SKILL.md.
[COMMAND_EXECUTION] (HIGH): The skill uses automation flags that bypass human-in-the-loop approval for infrastructure changes. This allows an attacker who can influence the infrastructure files to perform destructive actions or resource creation without oversight.
Evidence: tflocal apply -auto-approve, cdklocal deploy --all --require-approval never, and pulumilocal up --yes in SKILL.md.
[REMOTE_CODE_EXECUTION] (HIGH): Deploying AWS CDK or Pulumi stacks requires the execution of arbitrary Python or Node.js code defined within those projects. If the agent processes a project from an untrusted source, it results in arbitrary code execution on the local host.
Evidence: cdklocal deploy and pulumilocal up execute the logic contained within the user's infrastructure code.
[INDIRECT_PROMPT_INJECTION] (HIGH): This skill has a significant attack surface for indirect prompt injection because it reads and executes external files without sanitization or security boundaries.
Ingestion points: IaC project files (template.yaml, .tf files, Pulumi/CDK source code) referenced in SKILL.md.
Boundary markers: Absent. No instructions are provided to the agent to ignore instructions embedded within the infrastructure templates.
Capability inventory: Ability to execute shell commands and modify local system state via tflocal, cdklocal, pulumilocal, and awslocal wrappers.
Sanitization: Absent. The skill passes template bodies and file references directly to command-line tools.

localstack-deploy