The Agent Skills Directory

[Indirect Prompt Injection] (HIGH): The skill processes untrusted user-provided application source code and deployment configurations.
Ingestion points: User project directories and source files (e.g., package.json, .env.production) are read into the agent context.
Boundary markers: Absent. There are no delimiters or specific instructions for the agent to ignore embedded instructions within the user's data.
Capability inventory: The skill utilizes extensive execution capabilities, including Docker CLI, Kubernetes (kubectl), AWS CLI (aws ecs), and multiple internal Bash scripts.
Sanitization: Absent. No evidence of sanitization or validation of user-provided filenames or environment variables before they are interpolated into commands.
[Command Execution] (HIGH): The skill requires the execution of multiple opaque Bash scripts (docker-build.sh, docker-run.sh, docker-push.sh, docker-cleanup.sh) described as having over 400 lines of code. Because the source for these files is not provided for audit, they must be assumed to possess arbitrary execution capabilities on the host system.
[Credential Exposure] (MEDIUM): The skill instructions specifically direct the agent to handle sensitive configuration files like .env.production and interact with cloud registry authentication flows (AWS, Google, Azure), which increases the risk of credential exfiltration if the prompt flow is compromised.

docker-containerization