The Agent Skills Directory

[REMOTE_CODE_EXECUTION]: The skill documents the useScript hook, which is designed to dynamically load and execute JavaScript from remote URLs in the browser environment.
[COMMAND_EXECUTION]: The skill provides instructions for hooks that execute browser-mediated actions, such as useFileSystemAccess for local file operations, useVibrate for device haptics, and useDisplayMedia for screen sharing.
[DATA_EXFILTRATION]: The skill includes documentation for hooks that access sensitive browser data (e.g., useClipboard, useCookie, useGeolocation, useLocalStorage) and hooks that perform network communication (e.g., useQuery, useMutation, useWebSocket), which together create a potential pathway for data exfiltration if used improperly.
[EXTERNAL_DOWNLOADS]: The skill references and encourages the use of the external library @siberiacancode/reactuse and provides examples for fetching remote scripts, images, and other assets.
[PROMPT_INJECTION]: Indirect Prompt Injection Surface:
Ingestion points: Data entering the application through useQuery (network), useClipboard, useFileSystemAccess (local files), useWebSocket, and useEventSource (SSE).
Boundary markers: Absent. No specific instructions are provided to the agent to warn about or isolate potentially malicious instructions within data retrieved via these hooks.
Capability inventory: The skill documents capabilities to execute remote code (useScript), perform network mutations (useMutation), and write to the local file system (useFileSystemAccess).
Sanitization: Absent. The documentation does not include requirements for sanitizing or validating ingested data before processing or rendering it.

reactuse