The Agent Skills Directory

[COMMAND_EXECUTION]: The skill instructs the agent to execute Bash commands where user-provided arguments ($0 and ${1}) are interpolated into double-quoted strings. For example, in Step 2, the <URL> placeholder (derived from $0) is placed inside a duckdb -c "..." block. Because Bash evaluates subshells and variables inside double quotes, an attacker providing a 'URL' such as $(whoami) or using backticks could execute arbitrary code on the system.
[DATA_EXFILTRATION]: Due to the shell command injection vulnerability, an attacker can craft a malicious URL input to execute commands that read and exfiltrate sensitive information, such as environment variables, AWS credentials from ~/.aws/credentials, or SSH keys, and send them to a remote server using tools like curl or wget which are available in the Bash environment.
[PROMPT_INJECTION]: The skill is designed to ingest and process data from external, untrusted sources (S3, GCS, R2 buckets). This creates a surface for Indirect Prompt Injection, where malicious instructions embedded in remote Parquet, CSV, or JSON files could be interpreted by the agent as instructions when it previews or queries the data. The skill lacks boundary markers or sanitization logic to prevent the agent from obeying such embedded commands.
[CREDENTIALS_UNSAFE]: While the skill suggests using credential_chain (a safe practice), it also provides templates for users to enter plaintext KEY_ID and SECRET values. While these are placeholders, the instruction encourages the handling of raw credentials in the shell command history, which is a sub-optimal security practice compared to using environment variables or configuration files.

s3-explore