The Agent Skills Directory

[SAFE]: The skill's primary function is to create a project skeleton on the local file system. All generated content originates from local template files within the assets/ directory. The skill explicitly prohibits running package installation commands or starting servers, ensuring the user retains control over the final execution environment.
[EXTERNAL_DOWNLOADS]: The project templates include references to well-known and trusted external services. For example, the devcontainer configuration includes a script to install pnpm from get.pnpm.io, and the Dockerfiles reference official images from Microsoft and Docker Hub. These are standard practices for modern development environments.
[COMMAND_EXECUTION]: The skill uses the system's shell to execute git init in the target directory once the files have been written. This is a standard and expected operation for a repository scaffolding tool.
[PROMPT_INJECTION]: The skill collects user input for project metadata such as name, description, and namespace. It includes strict guardrails directing the AI agent to perform literal string replacement of placeholders and to validate input formats (e.g., kebab-case for project names), which effectively mitigates the risk of the agent interpreting malicious instructions embedded in user responses.

scaffold-project