The Agent Skills Directory

[COMMAND_EXECUTION]: The helper script scripts/collect_sigma_diagnostics.sh is vulnerable to shell command injection because it does not sanitize parameters before interpolating them into a shell command.
Evidence: The script uses a here-doc (cat <<RCMD) to construct a command string for execution on a remote host. Variables $SERVICE, $SINCE, and $LINES are resolved from AI-provided input and placed directly into the command string. An attacker could provide a service name like "; rm -rf / #" to execute arbitrary commands on the remote system.
[REMOTE_CODE_EXECUTION]: The skill allows for code execution on both remote and local systems through the manipulation of SSH parameters.
Evidence: The HOST parameter provided by the user is passed directly to the ssh command in scripts/collect_sigma_diagnostics.sh. If a user provides an input like -oProxyCommand=calc.exe as the host, it could lead to local command execution on the system running the agent.
[DATA_EXFILTRATION]: The skill is designed to retrieve and display system logs, creating a risk of sensitive data exposure.
Evidence: The workflows in references/workflows/01-quick-health-check.md and 02-error-triage.md collect logs via journalctl. While there is a guardrail to redact secrets, this relies on the LLM's non-deterministic ability to identify sensitive data in raw logs, which may fail to catch credentials, tokens, or PII.
[PROMPT_INJECTION]: The skill has an unsafe indirect injection surface where untrusted user input is interpolated into critical tool execution paths.
Evidence: The skill ingests user-provided values for host, service, since, and lines (defined in SKILL.md) and passes them to internal bash scripts without any validation or boundary markers. This allows data provided in a chat context to influence the logic of the underlying operating system commands.

sigma-server-ops-ssh