The Agent Skills Directory

[EXTERNAL_DOWNLOADS]: The skill instructs the user to install global CLI tools and MCP servers from the public NPM registry.\n
Evidence: npm install -g faf-cli and npx -y claude-faf-mcp@latest in SKILL.md.\n- [REMOTE_CODE_EXECUTION]: The use of npx -y ...@latest constitutes a remote code execution pattern where the latest version of a package is downloaded and executed dynamically without version pinning.\n
Evidence: "args": ["-y", "claude-faf-mcp@latest"] in the MCP Server configuration section.\n- [COMMAND_EXECUTION]: The skill requires running various shell commands to perform its core functions of detection, generation, and synchronization.\n
Evidence: Commands such as faf auto, faf migrate, and faf sync are central to the workflow.\n- [PROMPT_INJECTION]: The skill ingests data from local project files to generate AI context, creating an indirect prompt injection surface where malicious instructions in project files could influence the AI.\n
Ingestion points: Scans README.md, package.json, Cargo.toml, and other project manifests (SKILL.md).\n
Boundary markers: None specified in the documentation to prevent obedience to embedded instructions.\n
Capability inventory: Shell command execution via the faf CLI tool and local file system access (SKILL.md).\n
Sanitization: No documentation indicates that external file content is sanitized before being included in the AI context.

faf-wizard