The Agent Skills Directory

[COMMAND_EXECUTION]: The script scripts/slide-token-validator.py uses subprocess.run to execute a local validation script (html-token-validator.py). This is a standard wrapper pattern used to provide a consistent CLI interface and does not pose a security risk as it avoids shell execution and targets internal files.- [EXTERNAL_DOWNLOADS]: The slide generation process incorporates resources from well-known services, including Google Fonts and the Chart.js library via the JSDelivr CDN. Additionally, scripts/fetch-background.py provides curated image URLs from Pexels. These are all established, reputable sources for web development assets.- [INDIRECT_PROMPT_INJECTION]: While the skill generates HTML slides based on user-provided data (creating a Category 8 attack surface), the implementation in scripts/generate-slide.py includes robust sanitization using HTML escaping for text content and protocol whitelisting for URLs to prevent cross-site scripting (XSS) or injection attacks.- [DATA_EXPOSURE]: The skill documentation correctly identifies design tokens as the source of truth and does not access sensitive system files or environment variables. No hardcoded credentials or unsafe data handling practices were detected.

design-system