The Agent Skills Directory

[COMMAND_EXECUTION]: The skill instructions direct the agent to construct shell commands (curl) by interpolating user-provided inputs such as metric names, jobs, or namespaces into parameters like match[]. While this is required for the skill's functionality, it creates a potential surface for command injection if the agent does not properly sanitize the user-supplied strings before execution.\n- [SAFE_PRACTICE]: The skill follows security best practices by using environment variables (VM_METRICS_URL, VM_AUTH_HEADER) for configuration and authentication, ensuring that no sensitive credentials or endpoint URLs are hardcoded in the instructions.\n- [DATA_INGESTION]: The skill ingests data from external API endpoints to generate reports. This represents a potential indirect prompt injection surface (Category 8) where malicious content within the database metadata (e.g., carefully crafted label values) could attempt to influence the agent's output. However, the risk is considered low as the agent is primarily generating a technical report based on numerical and structural data.\n- [EXTERNAL_DOWNLOADS]: The skill performs network operations using curl to interact with the VictoriaMetrics API. These operations are scoped to the environment variables provided by the user and target the user's own infrastructure, posing no inherent risk of exfiltrating data to unauthorized third parties.

victoriametrics-cardinality-analysis