The Agent Skills Directory

REMOTE_CODE_EXECUTION (HIGH): The skill contains instructions to download and execute shell scripts directly from external URLs without verification, a pattern known to be dangerous if the source or transmission is compromised. Evidence: 'curl -fsSL https://ollama.com/install.sh | sh' (detected by automated scanner) and 'curl --proto "=https" --tlsv1.2 -sSf https://sh.rustup.rs | sh' in reference/deployment.md.
EXTERNAL_DOWNLOADS (MEDIUM): Multiple files instruct the user to download and install various third-party packages and binaries from unverified sources. Evidence: Frequent use of 'pip install' with force-reinstall flags and experimental packages like 'fbgemm-gpu-genai'.
COMMAND_EXECUTION (MEDIUM): The documentation includes examples that manipulate the environment through shell commands and set sensitive environment variables. Evidence: Docker configurations in reference/deployment.md use environment variables for passwords such as USER_PASSWORD and JUPYTER_PASSWORD.
DATA_EXFILTRATION (LOW): Access to potentially sensitive configuration directories is demonstrated in example code. Evidence: reference/deployment.md includes a command accessing '~/.ssh/id_rsa.pub'. While this is a public key, accessing the .ssh directory is a high-risk pattern.
PROMPT_INJECTION (LOW): The skill is vulnerable to indirect prompt injection due to its core functionality of training on external datasets. 1. Ingestion points: 'train_dataset' in reference/fp8-training.md and reference/vision-training.md. 2. Boundary markers: Absent; no instructions are provided to treat dataset content as untrusted. 3. Capability inventory: Shell access for installations and file system writes for saving models. 4. Sanitization: Absent; dataset content is processed directly.

unsloth-training