The Agent Skills Directory

[EXTERNAL_DOWNLOADS]: The skill downloads the firebase-tools package from the official npm registry and the standalone binary from firebase.tools (a well-known redirect to Google's Firebase hosting). These are trusted sources for the Firebase CLI.
[COMMAND_EXECUTION]: The skill executes several shell commands to manage Firebase services, including npm install, firebase login, firebase deploy, and firebase emulators. All commands are standard for Firebase development and are used as intended for the skill's primary purpose.
[REMOTE_CODE_EXECUTION]: The standalone installation method in SKILL.md and scripts/install.sh uses curl -sL https://firebase.tools | bash. While this pattern involves piping remote content to a shell, the source is an official, well-known domain owned by Google/Firebase for CLI distribution, which is considered a safe and standard installation practice for this specific tool.
[CREDENTIALS_UNSAFE]: The skill correctly instructs users to manage sensitive credentials (like service account JSON keys) using environment variables (GOOGLE_APPLICATION_CREDENTIALS) and specifically advises adding these files to .gitignore to prevent accidental exposure. No hardcoded secrets were found.

firebase-cli