The Agent Skills Directory

[REMOTE_CODE_EXECUTION]: The installation instructions direct the agent to download a script from https://get.blacksmith.sh and pipe it directly to the shell (| sh). This executes remote code with the privileges of the current user without prior inspection or verification.
[COMMAND_EXECUTION]: The skill provides an interface to execute arbitrary shell commands on a remote VM via the blacksmith testbox run command, effectively acting as a remote shell wrapper.
[COMMAND_EXECUTION]: The file synchronization mechanism uses rsync with the --delete flag. The instructions contain a critical warning that if the agent executes these commands from a subdirectory instead of the repository root, the sync process will delete local directories and files to match the remote state.
[DATA_EXFILTRATION]: The skill's primary function is to sync local repository data, including source code and untracked files, to a remote cloud environment managed by a third-party service (Blacksmith).
[PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it ingests data from local files and processes untrusted command strings for remote execution.
Ingestion points: Local file system (via rsync sync), environment variables (BLACKSMITH_CHANNEL, BLACKSMITH_ORG), and command-line arguments.
Boundary markers: The skill does not use delimiters or instructions to prevent the agent from obeying commands embedded within the files being synced or the commands being executed.
Capability inventory: Remote command execution, local file synchronization (read/write), and network access to external cloud providers.
Sanitization: There is no evidence of input validation or sanitization for the command strings passed to the run or download functions.

blacksmith-testbox