The Agent Skills Directory

[EXTERNAL_DOWNLOADS]: Fetches companion skills from Vercel Labs' official GitHub repositories and the author's own repository during the installation process. These sources are considered trusted or vendor-owned.\n- [COMMAND_EXECUTION]: Uses npx skills add to install external components and ln -sfn to create symbolic links, which registers the installed skills within IDE-specific directories such as .claude/skills and .cursor/skills.\n- [DATA_EXFILTRATION]: Reads local repository configuration from .groove/index.md and modifies files like AGENTS.md, .gitignore, and hook files (.groove/hooks/start.md). These actions are consistent with the skill's primary purpose of bootstrapping a repository environment, and no unauthorized data exfiltration or hardcoded credentials were found.\n- [DATA_EXFILTRATION]: The skill processes external data from .groove/index.md (Ingestion point: SKILL.md) to drive configuration steps. While it lacks explicit boundary markers or sanitization for this input, the capabilities (Bash, Write) are used exclusively for repository setup and management tasks, presenting a low risk for indirect injection in this context.

groove-admin-install