The Agent Skills Directory

[COMMAND_EXECUTION]: The skill relies on system-level tools to perform UI automation and testing workflows, including osascript (AppleScript), cliclick (mouse/keyboard automation), screencapture, and xcrun simctl (iOS simulator).
[COMMAND_EXECUTION]: The scripts/dogfood.sh script dynamically generates shell command "recipes" that the agent is expected to execute. The script fails to sanitize or quote user-supplied arguments such as --url and --session when interpolating them into these generated commands, creating a potential command injection vulnerability if the inputs are derived from untrusted repository data or PR descriptions.
[DATA_EXFILTRATION]: The skill performs local network operations, including sending POST requests to a notification daemon on localhost:31337 and interacting with local engine APIs (e.g., 127.0.0.1:$PORT) via curl.
[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it reads and processes repository configuration files to automatically detect the tech stack.
Ingestion points: Reads package.json, app.json, Cargo.toml, next.config.*, mcp.json, and mcp.yaml from the project workspace.
Boundary markers: No explicit delimiters are used to isolate the content of these files during the detection phase.
Capability inventory: The skill can execute shell commands via generated recipes, perform UI automation, and initiate network requests via curl.
Sanitization: Detection is performed using string matching (grep) on file contents, which determines which command recipe is subsequently generated and presented to the agent for execution.

dogfood