The Agent Skills Directory

[PROMPT_INJECTION]: The 'Self-Evolving Skill' section in SKILL.md explicitly instructs the agent to 'fix this file immediately' if it discovers errors or workarounds. This promotes self-modifying instruction patterns that could be used to persistently alter agent behavior or bypass future safety constraints.
[COMMAND_EXECUTION]: The skill provides instructions for executing numerous powerful CLI tools such as 'cargo install', 'ast-grep', and 'samply'. It specifically suggests the use of 'sudo' for performance profiling on macOS, which involves high-privilege operations.
[EXTERNAL_DOWNLOADS]: A core component of the skill's release pipeline is the script 'plugins/rust-tools/scripts/rust-release-check.sh'. This file was not provided in the analysis package, making its command execution and network operations impossible to verify for security.
[DATA_EXFILTRATION]: SKILL.md includes a 'curl' command targeting a private network IP address ('172.25.236.1:3002') for a web scraping service. Interacting with internal network resources from an AI agent can facilitate Server-Side Request Forgery (SSRF) or unauthorized internal network exploration.
[PROMPT_INJECTION]: The skill creates an indirect prompt injection surface by ingesting data from the 'crates.io' API and web search results and providing the agent with powerful capabilities (Bash, Write, Edit) to act on that data without defining boundary markers or sanitization. Evidence: Ingestion points (WebFetch from crates.io, WebSearch for changelogs), Boundary markers (Absent), Capability inventory (Bash, Write, Edit, Grep, Read), Sanitization (Absent).

rust-sota-arsenal