The Agent Skills Directory

[EXTERNAL_DOWNLOADS]: During its initialization phase (init.mjs), the skill automatically fetches numerous external AI agent skills using the npx skills add command. These resources are pulled from diverse GitHub repositories, including those belonging to individual developers (e.g., obra/superpowers, mattpocock/skills, wshobson/agents), which increases the attack surface for supply-chain vulnerabilities.- [REMOTE_CODE_EXECUTION]: The workflow heavily utilizes npx -y to execute unpinned versions of remote packages (e.g., @fission-ai/openspec@latest, gitnexus@latest) from the npm registry. This occurs during project initialization and within various development hooks, allowing for the execution of third-party code that is not locally audited.- [COMMAND_EXECUTION]: The skill configures PostToolUse hooks to run shell-based utilities like Prettier, ESLint, and the TypeScript compiler. These tools are used to enforce code quality and formatting but involve the execution of local shell commands as part of the standard development loop.- [SAFE]: A significant portion of the external skills are sourced from well-known and trusted organizations, such as Vercel Labs, Anthropics, and Google Labs. These specific downloads are considered routine and low-risk within the context of the platform's trusted vendor guidelines.

peaks-sdd