The Agent Skills Directory

[Data Exposure & Exfiltration] (HIGH): The skill explicitly targets and manages highly sensitive files located in ~/.ssh/, including private keys (~/.ssh/id_ed25519, ~/.ssh/key_name) and the SSH configuration file. Access to these files provides direct access to credentials that can be used to compromise other systems.
[Indirect Prompt Injection] (HIGH): This skill is highly vulnerable to indirect injection because it ingests data from untrusted sources (remote server command outputs and file content via SCP) while possessing high-privilege capabilities.
Ingestion points: Remote command output via ssh and remote file content via scp (SKILL.md, README.md).
Boundary markers: Absent; there are no instructions to the agent to ignore or delimit instructions found within remote data.
Capability inventory: Local and remote shell command execution (ssh), file transfer (scp), and credential management (ssh-keygen).
Sanitization: Absent; the skill does not suggest any validation or escaping of data retrieved from remote hosts.
[Persistence Mechanisms] (HIGH): The skill promotes the use of ssh-copy-id to install public keys on remote machines, which is a standard method for establishing persistent access. If misused by a malicious prompt, this could be used to authorize an attacker's key on the user's infrastructure.
[Command Execution] (MEDIUM): The skill relies on executing powerful shell commands (ssh, scp, ssh-keygen). While these are necessary for the skill's functionality, they provide the agent with the ability to execute arbitrary code on any host the user has access to.

ssh