The Agent Skills Directory

[SAFE]: The skill operates a local HTTP server that is explicitly bound to '127.0.0.1'. This ensures the GUI and its API endpoints are only accessible from the local machine and are not exposed to the network.
[COMMAND_EXECUTION]: The interact-server.js script uses child_process.spawn to manage its own lifecycle. It spawns a background instance of itself using the serve command to provide a persistent interaction server while the CLI client returns control to the agent.
[SAFE]: The script implements XSS mitigation in its UI rendering logic by escaping sensitive HTML characters in the JSON state payload before it is embedded into the browser-side script.
[SAFE]: All persistence (logs, schemas, and user answers) is restricted to the .interact/ directory within the project root, following the principle of least privilege regarding file system access.

interact