The Agent Skills Directory

[EXTERNAL_DOWNLOADS]: Fetches the Node Version Manager (nvm) installation script from the official nvm-sh GitHub repository.
[EXTERNAL_DOWNLOADS]: Downloads the socket-patch installation script from the author's (SocketDev) GitHub repository.
[EXTERNAL_DOWNLOADS]: Fetches standalone sfw binaries directly from the official socket.dev domain.
[REMOTE_CODE_EXECUTION]: Executes the downloaded nvm and socket-patch installation scripts using shell pipes (curl | bash and curl | sh).
[COMMAND_EXECUTION]: Uses local helper scripts (scripts/helpers/socket-setup.mjs and scripts/helpers/detect-ci.ts) to perform environment checks, project detection, and Dockerfile analysis.
[COMMAND_EXECUTION]: Instructs the agent to modify project files such as Dockerfile and package.json to integrate security tools, requiring user approval before writing.
[CREDENTIALS_UNSAFE]: Includes a hardcoded public demo token (sktsec_t_--RAN5U4ivauy4w37-6aoKyYPDt5ZbaT5JBVMqiwKo_api) intended for users without an account to provide immediate, limited CLI functionality.
[PROMPT_INJECTION]: Ingests project configuration data from files like package.json and Dockerfile to identify build steps, creating an attack surface for indirect prompt injection.
Ingestion points: Reads package.json, CI configurations (GitHub Actions, GitLab CI), Makefile, Dockerfile, and other build-related metadata files via helper scripts.
Boundary markers: No delimiters or instructions to disregard embedded commands are present when processing the contents of these files.
Capability inventory: The skill performs shell command execution, global package installation, and direct file modification.
Sanitization: There is no evidence of sanitization or validation of the strings extracted from project files before they are used in generated configuration commands.

socket-setup