The Agent Skills Directory

[EXTERNAL_DOWNLOADS]: The skill instructs the user to clone the repository https://github.com/Hidden-Node/GooseRelayVPN-AndroidClient.git. This source is not from a recognized or trusted organization, making it an unverified dependency.
[COMMAND_EXECUTION]: The build process requires executing a shell script from the downloaded repository (bash build_go_mobile.sh). Running scripts from unverified sources is a high-risk operation that could lead to unauthorized system access or code execution during the build phase.
[COMMAND_EXECUTION]: The skill uses gradlew and gomobile to compile and package the application, which involves extensive command-line operations based on the downloaded project's configuration.
[DATA_EXFILTRATION]: The skill includes a troubleshooting section that performs network reachability tests to URLs derived from user-provided script_keys (e.g., https://script.google.com/macros/s/$scriptKey/exec). While intended for debugging, this mechanism could be used to send signals to external endpoints.
[PROMPT_INJECTION]: The importProfile function in the provided Kotlin code parses JSON input to populate VPN configuration fields. While this is functional, it establishes an attack surface for indirect prompt injection if the JSON source is untrusted or contains malicious metadata, although the impact is limited to the VPN's operational parameters.

gooserelayvpn-android-client