The Agent Skills Directory

[SAFE]: No malicious patterns or security risks were identified. The skill is designed for developer productivity and follows best security practices.
[PROMPT_INJECTION]: The static analysis detection for system prompt extraction is a false positive. The pattern appears in SECURITY.md (and related reference files) within a security audit checklist that neutrally describes diagnostic grep commands used to verify the skill's safety.
[DATA_EXFILTRATION]: The static analysis detection for unicode steganography is a false positive. It is triggered by a Python-based security audit script in SECURITY.md that contains the hex ranges of zero-width characters specifically to allow developers to scan their projects for such obfuscation techniques.
[CREDENTIALS_UNSAFE]: The skill includes standard development-profile mock credentials (e.g., users 'alice' and 'bob') and database defaults (e.g., password 'postgres'). These are common development placeholders and are explicitly scoped to non-production [development] configuration profiles within package.json and documentation templates.
[EXTERNAL_DOWNLOADS]: The skill facilitates the use of official SAP development tools, such as the @sap/cds-dk and @cap-js/mcp-server. These are well-known, trusted resources from a recognized technology vendor (SAP) and are essential for the skill's primary purpose.

sap-cap-nodejs-dev