The Agent Skills Directory

[COMMAND_EXECUTION]: The core functionality of the skill involves executing arbitrary shell commands defined in the .asc/workflow.json configuration file. This includes commands specified in the run property of steps, as well as before_all, after_all, and error hooks. Commands are executed using bash -o pipefail -c or sh -c.
[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it executes instructions stored in a repository-local file which could be modified by external contributors.
Ingestion points: The .asc/workflow.json file is read from the local repository and its contents determine the shell commands to be executed.
Boundary markers: Absent. There are no markers or instructions to the agent to ignore potentially malicious shell commands embedded in the workflow definition.
Capability inventory: The skill utilizes asc workflow run which executes shell commands via subprocess calls on the host machine.
Sanitization: Absent. The skill instructions show direct shell expansion ($VAR) for parameters, which does not provide protection against command injection if parameter values contain shell metacharacters.
[COMMAND_EXECUTION]: Runtime parameters provided via the CLI (e.g., KEY:VALUE) are interpolated into shell commands. If these parameters are sourced from untrusted inputs in a CI/CD environment, they could be exploited to perform command injection.

asc-workflow