The Agent Skills Directory

[REMOTE_CODE_EXECUTION]: The skill ships with a custom Node.js server implementation (scripts/server.cjs) that is executed on the user's machine. This server handles WebSocket protocol handshakes and serves dynamic HTML content. Executing non-trivial networking code shipped with a skill increases the overall attack surface.
[COMMAND_EXECUTION]: Shell scripts (scripts/start-server.sh and scripts/stop-server.sh) are provided to manage the lifecycle of the background Node.js process. These scripts utilize system commands like ps, kill, and nohup to manage process execution and monitoring.
[DATA_EXFILTRATION]: The Node.js server includes a /files/ endpoint that serves files from the session directory. The documentation (visual-companion.md) suggests binding the server to 0.0.0.0 for remote or containerized environments. This configuration would expose the served files and the interactive prototypes to any device on the same network.
[PROMPT_INJECTION]: The skill utilizes an indirect prompt injection surface by reading user-generated interaction data from a .events file and incorporating it into the agent's context.
Ingestion points: The agent is instructed to read structured interaction data from $SCREEN_DIR/.events during the brainstorm loop.
Boundary markers: No explicit delimiters or safety warnings are implemented for the data read from the events file.
Capability inventory: The skill has the ability to execute shell scripts and perform file system operations (writing design specifications).
Sanitization: While the Node.js server uses path.basename to prevent directory traversal for the file-serving endpoint, there is no evidence of sanitization for the event data being processed by the agent.

brainstorming