The Agent Skills Directory

[Data Exposure & Exfiltration] (MEDIUM): The deploy_static function in scripts/quick-deploy.sh implements a file-harvesting routine. It uses an embedded Python script to recursively read up to 100 files from a directory, encodes them in Base64, and transmits them to an external API (api-createos.nodeops.network). While it blacklists common directories like .git, the lack of strict path validation or a whitelist allows for the potential exfiltration of sensitive data (e.g., SSH keys, credentials) if the agent is directed to process a sensitive root directory.
[Command Execution] (LOW): The skill provides and utilizes shell scripts (scripts/quick-deploy.sh) that execute system commands including curl, jq, and python3. This creates a local execution surface that the agent is encouraged to use.
[External Downloads] (LOW): The skill performs network operations to api-createos.nodeops.network and nodeops.app. These domains are not part of the trusted external source list, although they are necessary for the skill's stated purpose of cloud deployment.
[Indirect Prompt Injection] (LOW): The skill has a significant attack surface for indirect injection.
Ingestion points: Untrusted data enters via GetGithubRepositoryContent and local file reads in deploy_static.
Boundary markers: No explicit delimiters or instructions are used to separate untrusted content from agent instructions.
Capability inventory: The skill can execute shell commands, read/write files, and perform network requests.
Sanitization: There is no evidence of sanitization for data retrieved from GitHub or local files before it is processed or displayed.

createos