Skills
skills/farmage/opencode-skills/sre-engineer/Gen Agent Trust Hub

sre-engineer

Warn

Audited by Gen Agent Trust Hub on Mar 24, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
  • [COMMAND_EXECUTION]: The skill contains multiple scripts that execute system-level commands using the subprocess module. Examples include kubectl for cluster management, systemctl for service control, and iptables/tc for network manipulation in chaos experiments.
  • Evidence in SKILL.md: subprocess.run(["kubectl", "rollout", "restart", ...]) at line 120.
  • Evidence in references/automation-toil.md: subprocess.run(["systemctl", "restart", "myservice"], ...) at line 146 and subprocess.run(["df", "-h", "/"], ...) at line 104.
  • Evidence in references/incident-chaos.md: subprocess.run(["tc", "qdisc", "add", ...]) at line 201 and subprocess.run(["kubectl", "delete", pod, ...]) at line 222.
  • [COMMAND_EXECUTION]: The AutomatedRunbook class in references/automation-toil.md (line 187) utilizes subprocess.run(step.command, shell=True), which executes strings directly in a shell environment. This is a high-risk pattern as it facilitates shell injection if the command string incorporates unvalidated external input.
  • [DATA_EXFILTRATION]: The skill performs network requests to external endpoints. While currently targeting a local or internal Prometheus instance, the pattern could be repurposed for data exfiltration.
  • Evidence in SKILL.md: Use of urllib.request.urlopen(url) to query Prometheus at line 112.
  • Evidence in references/automation-toil.md: Use of curl via subprocess.run to check service health at line 134.
  • [INDIRECT_PROMPT_INJECTION]: The skill has a significant attack surface for indirect prompt injection because it ingests external data (metrics, incident reports) and possesses powerful command execution capabilities.
  • Ingestion points: Metric data from Prometheus (SKILL.md), manual runbook steps, and incident descriptions (references/incident-chaos.md).
  • Boundary markers: Absent. There are no delimiters or instructions to ignore embedded commands within the ingested data.
  • Capability inventory: Full access to kubectl, systemctl, iptables, and arbitrary shell execution via AutomatedRunbook.
  • Sanitization: None detected. The Python scripts interpolate arguments directly into command strings or lists without validation or escaping (e.g., SKILL.md line 121: f"deployment/{deployment}").
Audit Metadata
Risk Level
MEDIUM
Analyzed
Mar 24, 2026, 01:36 AM