The Agent Skills Directory

[EXTERNAL_DOWNLOADS]: The skill downloads the @kayvan/markdown-tree-parser package from the npm registry via npx. This package originates from an unverified third-party account rather than a trusted organization or well-known service.- [REMOTE_CODE_EXECUTION]: The use of npx with an external package name results in the execution of code fetched from a remote registry at runtime, which presents a supply chain risk.- [COMMAND_EXECUTION]: The skill constructs shell commands by interpolating [source-document] and [destination-folder] variables. This pattern is susceptible to command injection if the user-provided file paths contain shell metacharacters.- [COMMAND_EXECUTION]: The skill includes a workflow step specifically designed to delete or move the original source document. This capability allows the agent to perform destructive file operations on the local file system.

bmad-shard-doc