The Agent Skills Directory

[PRIVILEGE_ESCALATION]: The skill documentation explicitly instructs the execution of scripts using sudo (e.g., sudo bash scripts/setup-gre.sh). It also notes that protocol speakers (BGP, OSPF, GRE) require root access for raw socket operations (TCP/179, IP/89, IP/47). Providing an agent with access to tools that require or assume root privileges creates a high-risk surface for host-level compromise.
[COMMAND_EXECUTION]: Several tools and instructions involve direct shell command execution. The gre_tunnel_status tool executes ip tunnel show and ip addr show. Additionally, the lab setup and verification workflows involve running local bash scripts (e.g., bash scripts/verify.sh), which may have unverified contents.
[INDIRECT_PROMPT_INJECTION]: The skill represents a significant ingestion surface for untrusted external data. It reads BGP RIB (Routing Information Base) and OSPF LSDB (Link State Database) entries from the network. This data is then processed and acted upon by the agent. A malicious peer could inject crafted routing attributes or LSAs designed to influence the agent's reasoning or trigger downstream tool calls.
Ingestion points: bgp_get_peers, bgp_get_rib, ospf_get_neighbors, ospf_get_lsdb (SKILL.md)
Boundary markers: None identified in the provided tool definitions to separate network data from instructions.
Capability inventory: bgp_inject_route, bgp_withdraw_route, bgp_adjust_local_pref, ospf_adjust_cost (SKILL.md)
Sanitization: No explicit sanitization or validation logic is described for the protocol data before it is presented to the agent.
[DATA_EXPOSURE]: The skill provides deep visibility into the network control plane, including full routing tables and neighborhood adjacencies. While intended for its primary purpose, this information is highly sensitive and could be used for network reconnaissance if exfiltrated.

protocol-participation