The Agent Skills Directory

[REMOTE_CODE_EXECUTION]: The skill instructs the user or agent to install the CLI tool by downloading a script from https://varlock.dev/install.sh and piping it directly to the shell (| sh). This installation pattern allows the remote server to execute arbitrary code on the local system.
[COMMAND_EXECUTION]: The Varlock configuration schema (.env.schema) supports an exec() function designed to run arbitrary shell commands to retrieve secrets from external sources (e.g., 1Password or AWS CLI). This feature can be exploited to execute arbitrary code if the schema file is modified by an attacker.
[EXTERNAL_DOWNLOADS]: The skill fetches resources from https://varlock.dev, which is the official domain for the Varlock tool. While this is expected vendor behavior, the use of remote scripts for installation is a security concern.
[PROMPT_INJECTION]: The skill is designed to process external configuration files (.env and .env.schema) which may contain untrusted data.
Ingestion points: Reads contents of .env and .env.schema files into the agent context.
Boundary markers: None identified in the provided instructions to differentiate between trusted schema definitions and potentially malicious input values.
Capability inventory: The agent has the ability to execute shell commands (via the exec() feature in schemas) and perform network operations via curl.
Sanitization: While the tool provides masking for terminal output, there is no evidence of sanitization for the commands executed via the schema's exec() function.
[COMMAND_EXECUTION]: The skill recommends modifying system shell profile files (~/.zshrc or ~/.bashrc) to update the PATH environment variable, which ensures the tool remains available across sessions.

varlock