The Agent Skills Directory

[COMMAND_EXECUTION]: The skill executes various shell commands to create project directories, initialize frameworks, and start development servers. It proactively mitigates command injection risks by including a mandatory 'Step 0' that instructs the agent to validate all user-provided parameters (name, directory, tag) before execution.
[EXTERNAL_DOWNLOADS]: The skill uses npx, npm, yarn, pnpm, or bun to fetch the create-mastra utility and project dependencies from the official npm registry. Since these tools are authored by the same vendor as the skill (mastra-ai), this is classified as standard intended behavior.
[DATA_EXPOSURE]: The skill interacts with sensitive API keys required for LLM providers. It follows industry best practices by checking existing environment variables first and suggesting the use of a local .env file for storage, rather than hardcoding or logging credentials.
[DYNAMIC_EXECUTION]: The skill generates boilerplate TypeScript files for agents and networks at runtime. These files are constructed using static templates provided in the skill instructions to facilitate automated testing of the Mastra Studio.
[INDIRECT_PROMPT_INJECTION]: The skill uses browser automation to interact with the Mastra Studio UI. While this creates a potential surface for indirect prompt injection if the UI displays untrusted content, the risk is minimal given the local development context and the specific purpose of smoke testing the vendor's own tool.

smoke-test