The Agent Skills Directory

REMOTE_CODE_EXECUTION (HIGH): In SKILL.md, the Flux installation command uses curl -s https://fluxcd.io/install.sh | sudo bash. This is a classic remote code execution vector that executes an unverified script from the internet with root privileges.
EXTERNAL_DOWNLOADS (HIGH): In both SKILL.md and references/argocd-setup.md, the skill instructs the user to execute kubectl apply on manifests hosted at raw.githubusercontent.com/argoproj/. Since argoproj is not in the Trusted Organizations list, this is a high-risk download and execution of remote configuration.
COMMAND_EXECUTION (MEDIUM): The skill performs sensitive operations such as retrieving administrative secrets from the cluster (argocd-initial-admin-secret) and decoding them. While intended for setup, these commands interact with sensitive cluster credentials.
DYNAMIC_EXECUTION (MEDIUM): references/sync-policies.md contains an embedded Lua script for ArgoCD health checks. This script is injected into a Kubernetes ConfigMap and executed dynamically by the ArgoCD controller.
INDIRECT_PROMPT_INJECTION (LOW): The skill defines ingestion points for untrusted data in SKILL.md via the repoURL fields for ArgoCD and Flux. An attacker who gains control of the specified Git repository could inject malicious manifests or instructions that the agent or the GitOps controller would then process. There are no boundary markers or sanitization steps documented for these inputs.

gitops-workflow