The Agent Skills Directory

[SAFE]: The skill includes a local Node.js server to provide visual feedback to the user. The server implementation in server.cjs is secure, employing path.basename() to sanitize file paths and prevent directory traversal attacks when serving visual assets from the session directory.
[SAFE]: Robust lifecycle management is implemented in the server-side code, including a 30-minute idle timeout and a mechanism to monitor the parent agent process (via PID) to ensure the server shuts down automatically if the agent exits or becomes inactive.
[SAFE]: The skill instructions in SKILL.md include a 'HARD-GATE' and explicit terminal state markers that prevent the AI from performing implementation tasks or code execution until a design specification has been explicitly reviewed and approved by the user.
[SAFE]: The shell scripts used for server management (start-server.sh, stop-server.sh) follow security best practices by using isolated session directories in /tmp or project-specific hidden folders, with clear logic for process cleanup.

spark