The Agent Skills Directory

[Privilege Escalation] (MEDIUM): The skill templates configure a user with passwordless sudo access.
Evidence: In SKILL.md, the cloud-init configuration for the 'deploy' user includes sudo: ALL=(ALL) NOPASSWD:ALL. This allows any process running as that user to execute administrative commands without authentication.
[Data Exposure & Exfiltration] (MEDIUM): The skill references sensitive local file paths to manage SSH keys.
Evidence: SKILL.md uses the HCL function file("~/.ssh/deploy.pub"). Accessing the ~/.ssh directory is a sensitive operation that can lead to credential exposure if the path is manipulated.
[Indirect Prompt Injection] (LOW): The skill is vulnerable to indirect prompt injection due to unvalidated variable interpolation into configurations.
Ingestion points: Variable inputs such as var.project, var.environment, and var.deploy_ssh_key in SKILL.md.
Boundary markers: Absent.
Capability inventory: The skill allows the use of Bash, Write, and Edit tools.
Sanitization: Absent; external data is interpolated directly into HCL and cloud-init scripts without escaping, which could allow an attacker to inject malicious commands if they control the variable values.

digitalocean-coder