The Agent Skills Directory

[COMMAND_EXECUTION]: The skill uses subprocess.run in update.py to execute git pull for updates and generate_frame.py for asset generation. These calls use hardcoded arguments or script-relative paths, preventing command injection. Evidence: update.py (lines 98, 114).
[EXTERNAL_DOWNLOADS]: The skill connects to external services for its core functionality: checking for updates from GitHub's API and sending image data to Google's Gemini API for enhancement. These are well-known technology providers. Evidence: update.py (line 44), gemini_enhance.py (line 458).
[SAFE]: The skill handles a Gemini API key for authentication with Google services. It provides a mechanism to save this key locally in .gemini_config.json, which is a standard configuration practice for CLI tools. Evidence: gemini_enhance.py (line 186).
[SAFE]: The skill identifies app benefits by analyzing the local codebase. While this creates a surface for indirect prompt injection if the codebase contains malicious text, the skill's capabilities are limited to image generation and local file operations, posing no significant risk. Ingestion points: Local codebase files (Phase 2). Boundary markers: Absent. Capability inventory: Image file creation, subprocess execution for Git. Sanitization: Absent.

aso-cosmicmeta-ss