The Agent Skills Directory

[COMMAND_EXECUTION]: The skill instructs the agent to operate as the root user by default and provides commands for high-privilege system operations. Evidence includes the default SSH user configuration ('HA_SSH_USER:-root') and the list of administrative host commands such as 'docker ps', 'journalctl', and 'ha host info' (SKILL.md).
[DATA_EXFILTRATION]: The skill directs the agent to access highly sensitive file paths and recommends bypassing standard SSH security features. Evidence includes references to private SSH keys ('~~/.ssh/id_ed25519', '~~/.ssh/id_rsa') and the Home Assistant 'secrets.yaml' file (SKILL.md). Additionally, the use of '-o StrictHostKeyChecking=no' in the provided SSH connection command bypasses host key verification, increasing susceptibility to man-in-the-middle attacks.
[PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection as it processes untrusted data from the host filesystem and logs. Ingestion points: Reads Home Assistant core logs, the system journal, and various configuration files from the host (SKILL.md). Boundary markers: Absent; there are no specific delimiters or warnings to disregard instructions embedded in the logs or host files. Capability inventory: Root-level shell access, ability to write/modify host files, and service management capabilities (SKILL.md). Sanitization: Absent; the instructions do not require the validation or filtering of content read from the host. Mitigation: Implement strict boundary markers for host data and minimize the agent's capabilities when performing automated log analysis.

ez-ssh