The Agent Skills Directory

[COMMAND_EXECUTION]: The skill uses shell commands to compile its own source code into a standalone binary on first use and to open the system browser to display the feedback UI. These operations use validated paths and URLs restricted to the local loopback address.
[SAFE]: The skill implements robust security measures for its local web interface. The markdown renderer (markdown.ts) performs full HTML escaping on all input strings before processing, and restricts link protocols to http, https, and mailto to prevent URI-based attacks. The server (server.ts) binds exclusively to 127.0.0.1 and requires a cryptographically random token (x-toki-token) for result submission to prevent CSRF and cross-origin interference.
[SAFE]: Data management is handled through a dedicated directory (~/.toki/) for storing spec backups, result JSONs, and decoded user images. Path traversal is mitigated by sanitizing all IDs used in filenames to a safe character set ([A-Za-z0-9._-]).
[SAFE]: The skill processes structured feedback via a JSON-based contract. While it provides a surface for indirect prompt injection (ingesting data from the agent for display), the risk is mitigated by the strict HTML sanitization and the tool's isolation as a separate process from the main agent context.

wokitoki