The Agent Skills Directory

[SAFE]: The skill demonstrates strong security awareness by implementing HMAC signature validation and timestamp verification in the webhook-receiver.md agent to ensure the authenticity and integrity of external payloads.
[SAFE]: The attachment-processor.md agent correctly implements file-type restrictions, specifically blacklisting dangerous extensions such as .exe, .bat, .sh, and .vbs, while enforcing file size limits and recursion depth for archives.
[COMMAND_EXECUTION]: The shell and Node.js scripts located in the tests/ directory are utility tools intended for structural validation of the markdown agent files. These scripts perform benign local file system checks and do not contain patterns of unauthorized or malicious command execution.
[CREDENTIALS_UNSAFE]: While agent documentation references variables like WEBHOOK_SECRET, these are used strictly as placeholders in pseudo-code examples to illustrate security implementation logic rather than exposing hardcoded secrets.
[SAFE]: The ingestion of untrusted data from emails, chats, and webhooks is identified as a surface for indirect prompt injection. However, the skill mitigates this through specialized parsing and normalization agents that operate with limited capabilities, preventing the direct execution of embedded malicious instructions.

client-intake