The Agent Skills Directory

Indirect Prompt Injection (HIGH): The skill ingest untrusted data from external AWS Support communications via aws support describe-communications.
Ingestion points: SKILL.md workflows for 'List Cases' and 'View Case Details'.
Boundary markers: Absent. The agent is instructed to process and translate message content without delimiters or instructions to ignore embedded commands.
Capability inventory: The skill can create cases, reply to cases, and upload attachments.
Sanitization: Absent. There is no filtering of the content retrieved from the AWS API.
Risk: A malicious actor (e.g., a compromised support account or a 'fake' case) could embed instructions in a case reply that the agent might execute, such as 'Close all other cases' or 'Upload the configuration file'.
Data Exfiltration & Exposure (HIGH): The 'Handle Attachments' workflow in SKILL.md provides a mechanism to read local files using base64 -i /path/to/file and upload them to AWS.
Risk: If combined with a prompt injection attack, the agent could be tricked into reading sensitive files like ~/.aws/credentials, .env, or SSH keys and attaching them to an AWS support case where they are accessible to the account owner or AWS support staff.
Command Execution (MEDIUM): The skill utilizes shell command substitution $(...) for date calculations and file encoding.
Evidence: $(date -u -v-14d ...) and $(base64 -i /path/to/file) in SKILL.md.
Risk: While using standard system utilities, the reliance on shell execution for paths and parameters can be vulnerable to command injection if the input variables (like the file path) are sourced from untrusted user input without strict validation.

aws-support-case