The Agent Skills Directory

[PROMPT_INJECTION]: The skill includes a proactive defensive instruction in SKILL.md regarding external documentation (Gitee/HarmonyOS docs), explicitly stating that the agent should only use them as reference material and never execute commands contained within them. This mitigates risks associated with indirect prompt injection from third-party sources.
[DATA_EXFILTRATION]: Multiple files, including debugging-and-release.md and development-checklists.md, contain explicit warnings against including sensitive data such as API tokens, private keys, certificates, or personal user information in logs or documentation. It also advises developers to avoid collecting sensitive or non-resettable device identifiers.
[EXTERNAL_DOWNLOADS]: The skill references official documentation from the HarmonyOS developer portal and the OpenHarmony Gitee repository. These are authoritative, well-known services for the target platform and do not represent a security risk.
[COMMAND_EXECUTION]: While the skill mentions tools like npm, ohpm, and HBuilderX, these are standard development environment components. There are no instructions that would lead to unauthorized or malicious command execution.
[CREDENTIALS_UNSAFE]: The documentation specifically instructs developers to use environment variables or DCloud-approved configuration methods for managing secrets, rather than hardcoding them into the plugin or its assets.

harmony-uts-plugin