The Agent Skills Directory

[SAFE]: The skill provides legitimate instructions for developing PHP scripts within the Windmill ecosystem. It promotes secure practices by instructing the agent to use the platform's resource system for handling credentials and configuration rather than hardcoding them in scripts.
[COMMAND_EXECUTION]: The skill utilizes the wmill CLI (a tool from the skill's author, windmill-labs) to manage the script lifecycle. Commands include wmill script preview for local execution, wmill script run for remote execution, wmill generate-metadata for lockfile management, and wmill sync push for deployment. These are standard operations for the target platform's development workflow.
[EXTERNAL_DOWNLOADS]: The skill facilitates the management of PHP dependencies by allowing the specification of Composer packages (e.g., guzzlehttp/guzzle, stripe/stripe-php) within code comments. These dependencies are resolved locally via the vendor's CLI tool.
[PROMPT_INJECTION]: The skill possesses an inherent attack surface for indirect prompt injection because it generates and executes code based on user requests. However, this is the primary intended function of the skill and no malicious overrides were found.
Ingestion points: User-provided script logic and execution arguments (SKILL.md).
Boundary markers: No explicit instructions are provided for using delimiters to isolate user input from the rest of the generated script context.
Capability inventory: The skill can execute code via wmill script preview and wmill script run, and publish changes via wmill sync push (SKILL.md).
Sanitization: There are no explicit instructions to validate or sanitize user input before it is interpolated into script arguments or code blocks.

write-script-php