The Agent Skills Directory

[EXTERNAL_DOWNLOADS]: The skill downloads the qos_client binary and its SHA256 sidecar from the vendor's official GitHub repository (0xkey-io/qos). This is a legitimate part of the provisioning workflow described in the documentation.
[REMOTE_CODE_EXECUTION]: Binaries downloaded from the vendor repository are marked as executable and invoked using subprocess.run. The skill implements mandatory integrity verification by checking the binary against a downloaded SHA256 hash before any execution occurs.
[COMMAND_EXECUTION]: The script scripts/enclave_keyops.py serves as a wrapper for kubectl and the qos_client CLI. It executes these tools to perform enclave management, attestation retrieval, and deployment tasks. It specifically avoids using shell-execution mode for these subprocess calls to reduce injection risks.
[DATA_EXFILTRATION]: No evidence of unauthorized data exfiltration was found. The skill makes network requests to well-known domains (GitHub) for software updates and performs health checks on local service endpoints as part of its core functionality.
[CREDENTIALS_UNSAFE]: The skill does not contain hardcoded secrets. It includes explicit instructions and technical enforcements to ensure that sensitive key material, such as .secret and .share files, is stored in external vaults outside of the managed workspace. It also features logic to redact sensitive flag values from its audit logs.
[PROMPT_INJECTION]: The instructions do not contain any patterns attempting to override system prompts or bypass safety filters. Instead, they include robust cross-role refusal logic to prevent the agent from performing unauthorized actions across different ceremony roles.

0xkey-keyops-builder