The Agent Skills Directory

[COMMAND_EXECUTION] (HIGH): The skill demonstrates unsafe shell command construction using external data.
Evidence: In the 'Investigate a crash spike' section, the skill captures the output of a command into a variable CLUSTER=$(... | jq -r '.[0].clusterId') and then interpolates it directly into a subsequent shell command: gplay vitals crashes get --cluster-id $CLUSTER. If a crash cluster ID contains shell metacharacters (e.g., ; rm -rf /), it would result in arbitrary command execution when the agent runs the script.
[EXTERNAL_DOWNLOADS] (MEDIUM): The skill relies on an external, non-standard CLI tool named gplay.
Evidence: All primary functions depend on the gplay binary. The source, version, and integrity of this tool are not specified, making it an unverifiable dependency that the agent is expected to execute.
[REMOTE_CODE_EXECUTION] (HIGH): High-risk Indirect Prompt Injection surface.
Ingestion Point: The skill fetches data from the Google Play Console via gplay vitals crashes list (File: SKILL.md).
Capability Inventory: The skill can execute shell commands (jq, gplay) and perform production state changes (gplay promote) (File: SKILL.md).
Boundary Markers: None present. The agent processes raw data from the external source.
Sanitization: None present. The skill directly uses parsed fields in logical checks and shell execution.
Analysis: Since an attacker can influence crash report data (e.g., through exception messages that populate cluster IDs or descriptions), this data acts as an untrusted input that can manipulate the agent's behavior, leading to unauthorized production promotions or command execution.
[CREDENTIALS_UNSAFE] (LOW): Requirement for high-privilege credentials.
Evidence: The skill requires GPLAY_SERVICE_ACCOUNT or gplay auth login with permissions to download bulk reports and promote apps. While necessary for the task, this elevates the impact of the other vulnerabilities.

gplay-vitals-monitoring