The Agent Skills Directory

[CREDENTIALS_SAFE]: The skill includes explicit instructions and code logic to prevent API key leakage. It masks credentials in logs and errors, and mandates the use of environment variables or .env files for secret management.
[COMMAND_EXECUTION]: The script scripts/gossamer.py uses subprocess.run to execute a sibling Python script for update checking. This is limited to internal orchestration using the local Python interpreter and absolute paths.
[EXTERNAL_DOWNLOADS]: The skill interacts with Alibaba Cloud's DashScope and OSS services to process image and video data. It can upload local files to temporary cloud storage and download remote files for processing, which are standard operations for a vision-based AI skill.
[PROMPT_INJECTION]: The skill processes user prompts and file inputs for visual analysis. While it is subject to standard indirect prompt injection risks common to LLM vision tasks, it lacks high-risk capabilities like arbitrary shell execution or system-level modification.
[PERSISTENCE]: A state file is maintained at .agents/state.json to store user preferences regarding update notifications, representing a benign local persistence mechanism.

qwencloud-vision