The Agent Skills Directory

[Indirect Prompt Injection] (HIGH): The skill processes untrusted external training data while possessing high-privilege execution capabilities. * Ingestion points: File SKILL.md (Workflow 1, Workflow 2) specifies the ingestion of prompt data from /path/to/data.jsonl. * Boundary markers: There are no defined delimiters or instructions to ignore embedded commands within the ingested training data. * Capability inventory: File SKILL.md executes training via python train.py, and references/api-reference.md shows the capability to load and execute custom Python files via --custom-generate-function-path. * Sanitization: No evidence of sanitization, validation, or escaping of the prompt data before it influences model training or execution.
[Unverifiable Dependencies & Remote Code Execution] (MEDIUM): The skill relies on code and environments from unverified external repositories. * Source: https://github.com/radixark/miles.git and Docker image radixark/miles:latest are used as primary components but are not within the trusted organization scope. * Method: Instructions include git clone and docker pull followed by execution.
[Dynamic Execution] (MEDIUM): The framework enables the runtime loading and execution of arbitrary local scripts. * Evidence: The presence of --custom-generate-function-path and --custom-rm-path in references/api-reference.md allows the training process to execute logic defined in external files, increasing the attack surface if combined with file-write capabilities or compromised environments.

miles-rl-training