The Agent Skills Directory

[COMMAND_EXECUTION]: The skill utilizes shell commands (curl, jq) to interact with the Poku API. It follows security best practices by using jq --arg to safely interpolate user-provided strings (such as phone numbers and message bodies), which effectively prevents shell command injection attacks.
[DATA_EXFILTRATION]: Network activity is restricted to the legitimate vendor domain api.pokulabs.com as required for the skill's primary functions. There is no evidence of unauthorized data transfer to third-party or unknown domains.
[PROMPT_INJECTION]: The instructions include robust safety guardrails that explicitly prohibit the agent from engaging in deceptive behaviors, such as impersonation of law enforcement, harassment, or the extraction of sensitive personal information from call recipients.
[SAFE]: The skill enforces strong credential hygiene by instructing the agent to mask the POKU_API_KEY in all logs or user-facing output, and by using environment variables for sensitive configuration instead of hardcoding values.
[SAFE]: A mandatory human-in-the-loop confirmation step ('Ok to proceed?') is required before the agent initiates any outbound calls, SMS, or number reservations, ensuring that no impactful actions occur without explicit user consent.

poku