The Agent Skills Directory

[SAFE]: The skill follows secure design principles by incorporating multi-phase validation gates and a 'dry run' option that allows users to inspect the generation plan before any code is written or modified.
[COMMAND_EXECUTION]: The skill uses local shell commands (node, npm, npx, curl, base64) to perform its core functions, such as running validation scripts (validate-ir.js, validate-honor.js), capturing screenshots via Playwright, and downloading assets from Figma. These commands are necessary for the skill's stated purpose and do not involve suspicious execution patterns like piping remote content directly into a shell.
[EXTERNAL_DOWNLOADS]: Fetches design screenshots from Figma's official domains and installs standard helper packages (pixelmatch, pngjs) from the official NPM registry if they are missing from the environment. These are trusted, well-known services.
[PROMPT_INJECTION]: The skill processes untrusted content from external Figma designs (e.g., layer names and text nodes). While this creates a surface for indirect prompt injection, the skill mitigates this risk through structured processing (Intermediate Representation), a visual verification loop that compares rendered output against the original design, and a post-generation code audit (Phase 5).

d2c-build