The Agent Skills Directory

[DATA_EXFILTRATION]: The skill accesses sensitive private SSH key files on the host system to authenticate with remote servers.
Evidence: Paths ~/.ssh/keys/production-server.key and ~/Chatwit-Social-dev/id_rsa.v3 are explicitly referenced for use in SSH commands in SKILL.md.
[COMMAND_EXECUTION]: The skill executes arbitrary commands on a remote production server via SSH and interacts directly with Docker containers.
Evidence: Use of ssh -i "$SSH_KEY" "$PROD_HOST" to execute docker exec and pg_dump on the remote host 49.13.155.94 in SKILL.md.
[COMMAND_EXECUTION]: The skill is susceptible to indirect prompt injection because it processes and acts upon untrusted output from external commands.
Ingestion points: Reads and parses the output of psql -lqt and docker ps commands in SKILL.md.
Boundary markers: Absent; there are no delimiters or instructions to ignore embedded commands in the processed data.
Capability inventory: Includes remote command execution (ssh), local container management (docker), and file system write access (>).
Sanitization: Absent; relies on basic shell utilities like cut, sed, and grep which do not provide security-hardened parsing.

db-backup-restore