The Agent Skills Directory

[COMMAND_EXECUTION]: The documentation and reference files (specifically references/tool-builder.md) provide code examples that use the eval() function to process mathematical expressions generated by the AI agent. This pattern is inherently unsafe as it allows the agent to execute arbitrary JavaScript code if it is successfully prompted to output malicious strings.
[EXTERNAL_DOWNLOADS]: The skill instructs users to install an external CLI tool using the command npx skills add belt-sh/cli. This source is not verified or identified as a trusted vendor, posing a risk of downloading and executing untrusted code.
[PROMPT_INJECTION]: The skill architecture facilitates indirect prompt injection. The agent configuration allows fetching content from arbitrary URLs (e.g., in the 'Skills' section of SKILL.md) while enabling high-privilege capabilities such as codeExecution. An attacker could host a malicious payload at a URL that, when fetched by the agent, triggers unauthorized actions.
Ingestion points: Usage of the url parameter in client.agent({ skills: [...] }) in SKILL.md.
Boundary markers: None explicitly shown for remote content retrieval.
Capability inventory: Subprocess calls (via allowed tools), code execution (internalTools().codeExecution(true)), and network requests are available.
Sanitization: No validation or sanitization of remote skill content is described before use.
[REMOTE_CODE_EXECUTION]: The SDK explicitly supports enabling code execution capabilities for agents via the internalTools().codeExecution(true) API. While presented as a feature, it significantly increases the security risk if the agent is exposed to untrusted inputs through its tools or ingested data.

javascript-sdk