The Agent Skills Directory

[SAFE]: The skill implements a dedicated input validation layer using fs_guard.py, which enforces strict regex checks (e.g., ^[A-Za-z0-9_]+$) for agent names, org IDs, and versions before they are used in shell commands or filesystem path construction.
[SAFE]: The REST client implementation (rest_client.py) includes security-critical primitives, such as a custom StripAuthOnCrossHostRedirect handler that ensures Authorization headers are removed if a request is redirected to an external or untrusted host.
[SAFE]: Automatic redaction of sensitive credentials (bearer tokens and access tokens) is applied to all error messages, tracebacks, and logs using regex-based scrubbing in rest_client.py and sf_cli.py.
[SAFE]: External command execution via the Salesforce CLI (sf) is handled securely through YAML-based recipes and subprocess.run using list-based arguments, avoiding the risks associated with shell interpolation or shell=True.
[SAFE]: The skill follows least-privilege principles by reading only design-time metadata rather than runtime audit logs or user conversation data.
[SAFE]: All local file operations (cache and data storage) are performed using validated paths to prevent path traversal vulnerabilities.

agentforce-architecture-analyze