The Agent Skills Directory

[COMMAND_EXECUTION]: The skill explicitly requires required_permissions: ["all"] for its operations. This allows the agent to execute any shell command with the highest available privileges, creating a substantial risk if instructions are subverted.
[CREDENTIALS_UNSAFE]: The skill contains instructions to programmatically modify .env files (documented in api-generation.md). These files typically house sensitive API keys, tokens, and database credentials. Modification of these files by an agent with full system permissions is a high-risk activity.
[EXTERNAL_DOWNLOADS]: The font_grabber tool downloads assets from at.alicdn.com, and the API generation tool fetches remote Swagger JSON from genapi-giime.giikin.com. While these are vendor-related, the process involves ingesting external data into the local development environment.
[REMOTE_CODE_EXECUTION]: The skill utilizes pnpm create zerone and npx create-zerone to scaffold projects. These commands download and execute code from the npm registry at runtime, which is an inherent remote code execution vector.
[DATA_EXFILTRATION]: The skill performs operations that read Git history (zerone log) and project configuration files. When combined with the requested full system permissions and the ability of the CLI tools to make network requests to vendor APIs, this provides a potential path for sensitive data exfiltration.
[INDIRECT_PROMPT_INJECTION]: The skill has a broad attack surface for indirect injection:
Ingestion points: Git commit messages (zerone log), remote Swagger/Apifox documentation (zerone api), and project configuration files.
Boundary markers: None are specified to protect the agent from instructions embedded in commit messages or API docs.
Capability inventory: High-privilege shell execution, file system writes to .env and package.json, and network access via CLI tools.
Sanitization: No sanitization or validation of the external content is mentioned before it is processed or used to generate code.

zerone-cli