The Agent Skills Directory

[COMMAND_EXECUTION]: The skill executes multiple shell commands to verify the presence and versioning of development tools, including ast-grep, gh, qmd, and ccc. It also manages local data collections via qmd collection remove and performs indexing with ccc index.
[PROMPT_INJECTION]: In step-03-auto-index.md, the skill exhibits an indirect prompt injection surface. It ingests the output of qmd collection list and interpolates result variables directly into a shell command (qmd collection remove {collection_name}). While this is used for environment hygiene, it creates a dependency on the integrity of external tool output to prevent command injection.
Ingestion points: step-03-auto-index.md (reading tool output from qmd)
Boundary markers: Absent
Capability inventory: qmd collection remove (shell execution in step-03-auto-index.md)
Sanitization: No explicit escaping or validation of collection names is performed before execution.
[SAFE]: The skill documents standard practices for secret management by checking for the presence of environment variables like SNYK_TOKEN without exposing their values. All file operations and tool interactions are consistent with the stated purpose of project environment setup.

skf-setup