The Agent Skills Directory

[DATA_EXFILTRATION]: The 'agent sandbox' commands (e.g., slicer claude, slicer amp) are designed to read sensitive local credentials from the host, such as ~/.claude/.credentials.json, ~/.claude/settings.json, and ~/.local/share/amp/secrets.json. These credentials are moved into the microVM, which could be located on remote vendor infrastructure (e.g., box.slicervm.com).
[REMOTE_CODE_EXECUTION]: Documentation for Kubernetes bootstrap workflows includes an example that pipes a remote installer from https://get.k3s.io directly into a shell.
[COMMAND_EXECUTION]: Operation of the Slicer daemon and access to authentication tokens on Linux hosts requires elevated privileges, specifically utilizing sudo for commands like slicer up.
[EXTERNAL_DOWNLOADS]: The skill dynamically installs tools like kubectl and helm using arkade and pulls virtual machine images from the ghcr.io/openfaasltd registry.
[PROMPT_INJECTION]: The skill has an indirect prompt injection surface as it ingests local workspace data which is then processed inside a VM with shell access. Ingestion points: Workspace syncing via slicer workspace (SKILL.md) or slicer cp (SKILL.md). Boundary markers: None specified. Capability inventory: Execution of commands via slicer vm exec (SKILL.md). Sanitization: None specified for the contents of the synced workspace.

use-slicer