The Agent Skills Directory

[EXTERNAL_DOWNLOADS]: The skill relies on downloading and executing the vibe-kanban package from the NPM registry via npx.
Evidence: Installation and execution instructions in SKILL.md, scripts/start.sh, and templates/claude-mcp-config.json use npx vibe-kanban as the primary startup method.
[REMOTE_CODE_EXECUTION]: The use of npx allows for the execution of remotely fetched code on the host system at runtime.
Evidence: scripts/start.sh contains the command exec npx vibe-kanban.
[COMMAND_EXECUTION]: The skill provides scripts that automate the modification of sensitive local configuration files and perform destructive git operations.
Evidence: scripts/mcp-setup.sh programmatically modifies ~/.claude/claude_desktop_config.json and ~/.codex/config.toml to register tool capabilities.
Evidence: scripts/cleanup.sh executes git branch -D and git worktree remove --force.
[PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface by interpolating user-provided task descriptions into agent CLI commands without visible sanitization.
Ingestion points: Task descriptions entered via the board UI or the vk_create_card MCP tool as documented in SKILL.md and references/mcp-api.md.
Boundary markers: None identified; user input is passed as a string argument to agent executables (e.g., -p "<task-description>").
Capability inventory: The skill manages agents with access to Bash, Write, Grep, Glob, and Read tools.
Sanitization: No evidence of input escaping or validation for the task description before it is passed to agent CLIs.

vibe-kanban