The Agent Skills Directory

[CREDENTIALS_UNSAFE]: The skill (Phase 3, Step 6 and Phase 4, Step 6) explicitly instructs the agent to ask the user for 'API keys or credentials'. Requesting secrets in the conversation flow leads to credential exposure in chat history and logs, rather than using secure environment variables or secret managers.
[COMMAND_EXECUTION]: The skill uses the Bash tool to build and test prototypes (Phase 4, Steps 8-9). This involves executing arbitrary commands and scripts generated by the agent, which could be exploited to perform unauthorized actions on the host system. This includes dynamic script generation and execution based on gathered research.
[PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection due to its data-handling architecture. 1. Ingestion points: Prospect websites, job postings, GitHub repositories, and user-provided documentation URLs (SKILL.md, Phase 2 and 4). 2. Boundary markers: Absent; there are no instructions to ignore or delimit instructions found in the processed data. 3. Capability inventory: Bash, Read, Write, Edit, and WebFetch tools provide the ability to execute code, modify files, and communicate over the network. 4. Sanitization: Absent; the agent is directed to use external content directly to drive demo logic and code generation.

demo-builder