The Agent Skills Directory

[COMMAND_EXECUTION]: The GitHub Actions workflow template in references/EXAMPLES.md (Step 6) interpolates user-controlled variables ${{ github.event.inputs.model_name }} and ${{ github.event.inputs.version }} directly into a shell script block (run: | ...). This allows an attacker to execute arbitrary commands by providing crafted inputs.
[CREDENTIALS_UNSAFE]: Step 1 in SKILL.md provides a shell command for starting an MLflow server that includes a hardcoded password pass in the database connection string postgresql://user:pass@localhost:5432/mlflow.
[PROMPT_INJECTION]: The skill is vulnerable to indirect injection through untrusted model metadata. 1. Ingestion points: User inputs in references/EXAMPLES.md and model metadata (tags, descriptions) retrieved from MLflow in stage_management.py and model_lineage.py. 2. Boundary markers: Absent. No delimiters or instructions are used to separate untrusted metadata from command logic or output reports. 3. Capability inventory: Shell command execution in references/EXAMPLES.md, model stage modification in stage_management.py, and local file writing in model_lineage.py. 4. Sanitization: Absent. No input validation, escaping, or filtering is performed on model names, versions, or tags before they are used in commands or logic.

register-ml-model