The Agent Skills Directory

[SAFE]: The skill communicates with well-known and trusted technology services, including Reddit, GitHub, and Hacker News, as well as the author's Glim API at surf.cascade.fyi for social media aggregation.
[SAFE]: Command execution via subprocess.run and subprocess.Popen is localized to benchmarking scripts (evaluate.py, verify_v3.py), end-to-end tests (e2e_comparison.py), and a utility for process management (subproc.py). These are used for legitimate tasks such as Git worktree management, compile-time checks, and process group cleanup.
[SAFE]: Credential handling is implemented securely. The skill instructs users to store API keys in environment variables or .env files and includes a proactive check to warn users if their configuration files are globally readable, recommending standard chmod 600 permissions.
[SAFE]: The skill incorporates robust mitigations against indirect prompt injection (Category 8). All external data retrieved from the internet is wrapped in <untrusted_content> fences before being passed to LLM judges, and the instructions explicitly command the agent to treat such content as data rather than executable instructions.
[SAFE]: A pre-flight refuse-gate is implemented in preflight.py to prevent the tool from being misused for generic demographic shopping queries that would yield low-signal results, enhancing the tool's reliability and focus.

last30days-glim