The Agent Skills Directory

[Privilege Escalation] (HIGH): The skill frequently executes commands using sudo for package management (apt, dnf) and service control (systemctl). This grants the agent root-level access to the system, which is a significant security risk if the agent's instructions are subverted.
[Indirect Prompt Injection] (HIGH): The skill reads configuration data (packages, services, hostnames) from external JSON profiles and interpolates them directly into shell strings (e.g., sudo apt install -y $package and ssh -i "$KEY" "$USER@$HOST").
Ingestion points: Reads from ~/.admin/profiles/{hostname}.json using jq.
Boundary markers: None. No delimiters or instructions to ignore embedded commands are present.
Capability inventory: Uses sudo, ssh, apt, dnf, systemctl, and brew.
Sanitization: None. Shell metacharacters in the JSON fields could lead to arbitrary command execution.
[Data Exposure & Exfiltration] (MEDIUM): The skill handles SSH private keys (keyPath) and server connection details. While necessary for its function, managing these in plaintext JSON profiles without a secure vault increases the risk of credential exposure.

admin-unix