The Agent Skills Directory

[Unverifiable Dependencies & Remote Code Execution] (MEDIUM): The skill instructs the agent to clone code from 'https://github.com/radixark/miles.git' and pull the 'radixark/miles:latest' Docker image. These sources are not included in the [TRUST-SCOPE-RULE] and cannot be verified as safe.
[Indirect Prompt Injection] (MEDIUM): The workflows ingest external content from local files (e.g., 'data.jsonl') which are used for model training and rollouts. Malicious instructions in this data could affect the training outcome or the resulting model's behavior. * Ingestion points: The '--prompt-data' argument in 'SKILL.md' and 'references/api-reference.md' specifies the entry point for untrusted training data. * Boundary markers: No delimiters or explicit instructions to ignore embedded prompts are provided in the training templates. * Capability inventory: The skill executes 'train.py' which involves subprocess calls and potential execution of custom logic via '--custom-generate-function-path'. * Sanitization: No sanitization of input data or validation of its schema is mentioned.
[Dynamic Execution] (MEDIUM): The skill documentation describes flags like '--custom-generate-function-path' and '--custom-rm-path' which allow the runtime loading and execution of arbitrary Python scripts. If an attacker can control these files or the path arguments, it leads to code execution.
[Privilege Escalation] (LOW): The recommended Docker environment setup uses '--ipc=host', which grants the container access to the host's shared memory. While often used in high-performance ML, this configuration reduces container isolation and increases the risk of host-level exposure if the containerized process is compromised.

miles-rl-training