The Agent Skills Directory

[REMOTE_CODE_EXECUTION]: The skill provides commands to download and execute scripts directly in the shell for tool installation.
Evidence: curl https://get.volta.sh | bash and curl -fsSL https://fnm.vercel.app/install | bash in SKILL.md.
Note: These scripts originate from the official domains of Volta and Vercel (a trusted organization), which are well-known technology services.
[EXTERNAL_DOWNLOADS]: Fetches configuration and installation binaries from remote repositories.
Evidence: Downloads the Volta installer and the fnm installer from their respective official endpoints.
[COMMAND_EXECUTION]: The skill defines a wide range of shell commands for the agent to execute, including version pinning, package installation, and shell environment modifications.
Evidence: Commands like volta pin node@20, npm install, and eval "$(fnm env ...)" are detailed throughout SKILL.md.
[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection as it instructs the agent to read and act upon project-specific configuration files that could be controlled by an external party.
Ingestion points: Reads package.json and .node-version files from the current working directory.
Boundary markers: None specified to differentiate between trusted and untrusted configuration data.
Capability inventory: Can execute version management commands (volta, fnm) and package manager commands (npm, yarn, pnpm) based on the content of those files.
Sanitization: No explicit validation or sanitization of the version strings or tool names retrieved from the configuration files.

nodejs-use