The Agent Skills Directory

[COMMAND_EXECUTION]: The script scripts/monitor_idle_eips.py implements a setup_cron_job function that uses subprocess.run(shell=True) to modify the system crontab. The shell command is constructed using string interpolation of arguments (--wechat-webhook, --email) without proper sanitization, allowing for arbitrary command injection if these arguments contain shell metacharacters.
[COMMAND_EXECUTION]: SKILL.md provides explicit instructions for the agent or user to execute a sudo command (sudo rm /usr/local/bin/jq) to resolve path conflicts, which grants elevated privileges to modify system-level binaries.
[EXTERNAL_DOWNLOADS]: The skill requires the installation of external dependencies huaweicloudsdkeip and huaweicloudsdkcore from official Python package registries.
[PROMPT_INJECTION]: There is a deceptive inconsistency in the skill's metadata. The SKILL.md frontmatter and description explicitly state the skill is 'Read-only analysis only' and does not perform bandwidth adjustment or EIP release. However, the core commands and reference guides (e.g., references/python-sdk-usage-guide.md) provide detailed instructions and command examples for these exact operations. While the specific management scripts (like adjust_eip_bandwidth.py) are not bundled with this version, the conflicting instructions could mislead the agent's behavior or a user's security assessment.
[DATA_EXFILTRATION]: The monitoring functionality in scripts/monitor_idle_eips.py is designed to send cloud resource metadata (IP addresses, EIP IDs, bandwidth usage) to external webhooks and email addresses provided at runtime. While this is an intended feature for alerting, it establishes a framework that could be misused for data exfiltration if the agent is directed to use an unauthorized endpoint.

huawei-cloud-eip-cost-optimizer