The Agent Skills Directory

[COMMAND_EXECUTION]: The SKILL.md file provides instructions for executing a helper scanner via node -e. The command template uses string interpolation to place user-provided file paths or source code directly into a JavaScript variable: const input = '<sourceCodeOrFilePath>';. This pattern is vulnerable to command injection because an attacker-controlled input containing a single quote could terminate the string literal and inject arbitrary JavaScript code, allowing for unauthorized execution within the agent's environment.\n- [SAFE]: All documentation links in SKILL.md point to the official lynxjs.org domain, which is the legitimate home of the Lynx project.\n- [SAFE]: The provided analysis logic in scripts/index.mjs implements heuristic scanning using regular expressions and string manipulation; it performs static analysis and does not execute or evaluate the source code it processes.

reactlynx-best-practices