The Agent Skills Directory

[REMOTE_CODE_EXECUTION]: The skill requires the agent to execute shell scripts (start-server.sh, stop-server.sh) and Node.js code (index.js) that are sourced from an external, untrusted GitHub repository (github.com/obra/superpowers). This enables the execution of unvetted code within the user's environment.- [COMMAND_EXECUTION]: The process flow for the visual companion feature involves direct execution of local bash scripts and Node.js processes via the terminal, which can be exploited if the scripts are malicious or modified.- [EXTERNAL_DOWNLOADS]: Documentation in the skill explicitly instructs the agent to 'Clone or copy' an entire directory of executable code from a third-party repository to enable core functionality, bypassing standard package management and verification.- [DATA_EXFILTRATION]: The visual companion server provides instructions for binding to 0.0.0.0 (all network interfaces). This configuration can expose the locally hosted mockups and interaction data (.events files) to other devices on the same network, potentially leading to unauthorized data access.

brainstorming