The Agent Skills Directory

EXTERNAL_DOWNLOADS (HIGH): Remote manifest application from an untrusted source in SKILL.md\n
Evidence: kubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj/argo-cd/stable/manifests/install.yaml targets the argoproj organization, which is not on the trusted sources list.\n- REMOTE_CODE_EXECUTION (HIGH): Instruction to apply remote YAML files directly to the cluster execution context.\n
Evidence: The prerequisite command in SKILL.md fetches remote manifests and applies them, which is functionally equivalent to remote script execution on the target infrastructure.\n- COMMAND_EXECUTION (MEDIUM): High-privilege tool suite for cluster state manipulation.\n
Evidence: Tools such as flux_reconcile_tool, argocd_sync_tool, and flux_suspend_tool allow the agent to perform administrative actions that can disrupt or modify production workloads.\n- PROMPT_INJECTION (LOW): Indirect Prompt Injection surface (Category 8).\n
Ingestion points: The skill reads configuration and desired state from external Git repositories via Flux GitRepository and ArgoCD Application resources.\n
Boundary markers: Absent; there are no instructions to the agent to distinguish between valid manifests and embedded malicious natural language instructions.\n
Capability inventory: Tools like flux_reconcile_tool and argocd_sync_tool across SKILL.md, FLUX.md, and ARGOCD.md can be triggered to apply state changes based on the ingested data.\n
Sanitization: Absent; the skill lacks validation mechanisms to filter or escape content retrieved from external repositories.

k8s-gitops