The Agent Skills Directory

[UNVERIFIABLE_DEPENDENCIES_AND_REMOTE_CODE_EXECUTION]: The skill installs the @taubyte/spore-drive package from the NPM registry. As this is the official SDK from the skill's author, it is considered a legitimate vendor-provided dependency for the stated purpose of cloud deployment.
[COMMAND_EXECUTION]: The implementation flow instructs the agent to execute npm install and npm run displace. These commands are used to initialize the deployment environment and trigger the execution of the generated deployment scripts on the host system.
[DATA_EXPOSURE_AND_EXFILTRATION]: The skill requires the user to provide a path to an SSH private key (SSH_KEY). While this involves the agent accessing sensitive credential files on the filesystem, it is a functional requirement for authenticating with the servers where the Taubyte cloud will be deployed.
[DYNAMIC_EXECUTION]: The skill generates deployment-specific SDK code and configuration files (.env, hosts.csv) at runtime and subsequently executes them. This dynamic script generation is a core feature of the tool's 'code-first automation' approach to deployment.
[INDIRECT_PROMPT_INJECTION]: The skill accepts several user inputs—including domains, server lists, and file paths—which are interpolated into the generated code and configuration files. This creates a surface for potential injection if inputs are not properly sanitized.
Ingestion points: SKILL.md (Inputs to collect section: ROOT_DOMAIN, GENERATED_DOMAIN, Server list, SSH_KEY).
Boundary markers: Absent; the instructions do not provide delimiters or guardrail prompts to isolate user-supplied strings during code generation.
Capability inventory: The skill possesses the capability to write files to the project directory and execute shell commands via npm.
Sanitization: No specific sanitization or validation logic is defined in the implementation flow to ensure user inputs do not contain malicious code or command escape characters.

taubyte-spore-drive-sdk