The Agent Skills Directory

[COMMAND_EXECUTION]: The skill utilizes the npx starwind@latest command for initializing projects and adding UI components. These operations are essential for the skill's primary function and are scoped to the vendor's official toolset.
[EXTERNAL_DOWNLOADS]: The skill fetches components from the official npm registry and the vendor's private registry at https://pro.starwind.dev. These references are standard for the 'starwind-ui' ecosystem and are used for legitimate component retrieval.
[DATA_EXFILTRATION]: While the skill interacts with a sensitive STARWIND_LICENSE_KEY, it includes explicit safety instructions to ensure the key is managed via environment variables and never hardcoded, shared in chat, or echoed in output, mitigating the risk of accidental exposure.
[PROMPT_INJECTION]: The skill possesses a surface for indirect prompt injection by reading project configuration files (package.json, astro.config.mjs, components.json) to determine the environment. The capability inventory includes subprocess calls via npx. While no specific boundary markers or sanitization logic are defined in the instructions, the risk is consistent with standard developer tooling workflows.

starwind-pro