The Agent Skills Directory

[PROMPT_INJECTION] (HIGH): High risk of Indirect Prompt Injection. The skill ingests untrusted data from the Windows host filesystem (/mnt/c/Users/.../*.json) and uses it to drive critical agent logic.
Ingestion points: reads profile data from /mnt/c/Users/$WIN_USER/.admin/profiles/$(hostname).json using jq.
Boundary markers: None present. The agent assumes the JSON content is safe and authoritative.
Capability inventory: sudo apt install, ssh -i, docker exec, and multiple package managers (pip, npm, uv).
Sanitization: None. Data from the JSON (hostnames, usernames, key paths, package names) is interpolated directly into shell commands.
[COMMAND_EXECUTION] (HIGH): Use of sudo apt install -y $package and various package managers to install software based on variables parsed from the external profile. An attacker modifying the Windows-side JSON could force the agent to install malicious software or execute arbitrary commands via subshells in package names.
[CREDENTIALS_UNSAFE] (HIGH): The skill is designed to locate and use SSH private keys (SSH_PATH, KEY) by reading paths from the Windows host. This facilitates the potential exfiltration or misuse of sensitive credentials if the agent's context is compromised or the profile is maliciously crafted.
[EXTERNAL_DOWNLOADS] (MEDIUM): The skill utilizes a wide array of package managers (apt, npm, pnpm, yarn, bun, uv, pip, conda) to download and install third-party code. While these are standard tools, the lack of version pinning or integrity checks for the installed packages increases the risk of supply chain attacks.
[DYNAMIC_EXECUTION] (MEDIUM): Shell scripts and command strings are dynamically constructed using values retrieved from the JSON profile (e.g., ssh -i "$KEY" "$USER@$HOST"). This allows for runtime code assembly based on local data that is not under the skill's direct control.

admin-wsl