The Agent Skills Directory

[COMMAND_EXECUTION]: The skill executes local Python scripts (merge-config.py, merge-help-csv.py, and cleanup-legacy.py) to manage configuration files and remove redundant legacy directories during the setup process.
[EXTERNAL_DOWNLOADS]: The configuration script merge-config.py declares a dependency on pyyaml. This is a well-known and standard library for YAML processing, and its use is appropriate for the skill's functionality.
[DATA_EXFILTRATION]: The skill handles user-provided configuration data and personal preferences. It implements security best practices by separating shared project configuration (config.yaml) from sensitive user settings (config.user.yaml), which is intended to be ignored by version control to prevent accidental exposure of personal data.
[PROMPT_INJECTION]: The skill ingests untrusted data from user responses to prompts and processes it into configuration files. Specifically, it populates module-help.csv, which registers capabilities that influence how the agent interacts with the module in future sessions. The scripts use yaml.safe_load to prevent code execution during the ingestion of YAML metadata.
[COMMAND_EXECUTION]: The cleanup-legacy.py script performs directory removal using shutil.rmtree. It includes a safety verification mechanism (--skills-dir) that ensures skill files are present in the new installation directory before deleting the legacy copies.

bmad-builder-setup