The Agent Skills Directory

[SAFE]: The skill interacts with an external API at steloit-squad.vercel.app. This is a vendor-owned resource belonging to the author 'steloit' and serves as the primary backend for the task management system.
[SAFE]: Authentication tokens are managed securely. The skill provides clear instructions for users to store the SQUAD_AUTH_TOKEN in a local file (~/.squad/auth) with restrictive file permissions (chmod 600) or via environment variables, following standard security practices.
[SAFE]: The skill employs jq and Python's json.dumps() for all JSON payload construction when interacting with the API. This robust approach prevents command injection and ensures that user-supplied text (such as task descriptions or titles) cannot break the API request structure.
[SAFE]: Analysis of scripts/coach_smoke.py confirms that subprocess calls are used safely to execute local helper scripts (like render_agent_prompt.py) using a list of arguments, avoiding shell interpolation of untrusted data.
[SAFE]: The skill exhibits an indirect prompt injection surface (Category 8) because various agents process task descriptions and logs from the task board. This is a standard characteristic of agentic project management tools and is mitigated by the use of structured markdown templates and clearly scoped agent identities.

squad