The Agent Skills Directory

[INDIRECT_PROMPT_INJECTION]: The skill fetches untrusted third-party content from tweets to serve as game concepts. This presents an indirect prompt injection surface where a malicious tweet could attempt to influence subagent behavior.
Ingestion points: tweet-pipeline.md (fetches tweets via fetch-tweet skill).
Boundary markers: Present in tweet-pipeline.md (explicit instructions to the agent to ignore any code or directives within tweet text).
Capability inventory: Subagents launched via the Task tool have the ability to write/modify code, run builds, install packages, and execute shell commands (SKILL.md, step-details.md).
Sanitization: Absent; the skill relies on instructional boundary markers rather than technical filtering.
[COMMAND_EXECUTION]: The skill performs several potentially sensitive command executions and environment modifications:
Installs Node.js packages (npm install -D @playwright/test, @sparkjsdev/spark).
Installs browser binaries (npx playwright install chromium).
Modifies the agent's persistent configuration by adding an MCP server (claude mcp add playwright).
Executes various local scripts provided within the plugin (build-character.mjs, verify-runtime.mjs, publish.sh).
[DYNAMIC_EXECUTION]: The skill exhibits dynamic code generation and execution patterns:
It delegates the creation of a capture script (scripts/capture-promo.mjs) to a subagent which is then executed via node.
It implements an 'autofix' loop that dynamically modifies the project's source code based on build or runtime failures detected during the verification phase.
[DATA_EXFILTRATION]: The skill manages sensitive data and performs network operations:
Accesses and stores credentials in .env and ~/.herenow/credentials (noted as standard practice for the platform).
Performs network requests to here.now, play.fun, meshy.ai, and worldlabs.ai for authentication, asset generation, and deployment. These are vendor-owned or well-known service resources for this skill's ecosystem.

make-game