The Agent Skills Directory

[COMMAND_EXECUTION]: The skill employs dynamic context injection (!command syntax) to run shell commands when the skill is loaded. One command uses node to extract dependency information from package.json, and another uses find to identify relevant project directories. These operations are limited to local project metadata and are consistent with the skill's function.\n- [COMMAND_EXECUTION]: The upgrade procedure involves running standard package management and build commands, including npm install, npx cap sync, and npm test. These are executed locally to manage the plugin's lifecycle and verify changes.\n- [SAFE]: The skill interacts with untrusted project data by reading package.json. Evidence Chain: (1) Ingestion point: package.json via node script; (2) Boundary markers: Absent; (3) Capability inventory: npm, npx, and bash via allowed-tools; (4) Sanitization: None. This is standard behavior for development tools and does not indicate a security threat.

capacitor-plugin-upgrades