The Agent Skills Directory

[COMMAND_EXECUTION]: The skill is designed to run arbitrary shell commands as defined in Standard Operating Procedure (SOP) YAML files located in the 'sops/' directory. Examples include high-privilege operations such as 'kubectl apply', 'pg_dump', and 'npm run build'. This capability poses a risk if an attacker can modify SOP files or if malicious input is interpolated into the command strings.
[DATA_EXFILTRATION]: The 'http' step type allows the agent to make network requests to arbitrary URLs. It supports the interpolation of environment variables and outputs from previous steps into the request body and headers (e.g., 'Authorization: Bearer $DEPLOY_TOKEN'), providing a mechanism for exfiltrating sensitive data to external endpoints.
[CREDENTIALS_UNSAFE]: The documentation explicitly demonstrates the usage of sensitive environment variables like '$DEPLOY_TOKEN' within HTTP headers. While the secrets are not hardcoded, the skill facilitates their transmission over the network, which could lead to exposure if sent to unauthorized URLs.
[PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection due to its processing of untrusted data.
Ingestion points: The skill reads SOP definitions from the 'sops/' directory and accepts runtime parameters via the 'params' object.
Boundary markers: There are no defined delimiters or instructions to ignore embedded commands within the interpolated variables.
Capability inventory: The skill possesses the ability to execute shell commands ('type: command') and perform network operations ('type: http').
Sanitization: No sanitization, escaping, or validation of the interpolated strings ('${params.*}', '${previous_step.output}') is performed before they are used in execution contexts.

sop-runner