The Agent Skills Directory

[Indirect Prompt Injection] (HIGH): The skill documentation encourages patterns where the agent ingests and processes untrusted data from external sources.
Ingestion points: collectionData (Firestore), listVal (RTDB), and model.generateContent (Vertex AI) in references/product-firestore.md, references/product-realtime-database.md, and references/product-vertexai.md.
Boundary markers: None present in the provided code snippets to delimit untrusted data from instructions.
Capability inventory: Extensive capabilities including network operations (Firebase SDK), CLI command execution (ng deploy, firebase emulators), and dynamic module loading.
Sanitization: No sanitization or validation of external content is demonstrated before it is used in application logic or displayed.
[Dynamic Execution] (HIGH): Example code in references/advanced-ssr.md uses dynamic require() with computed paths: require(${process.cwd()}/dist/my-app/server/main).app(). This pattern is susceptible to path traversal or local file inclusion if the environment is misconfigured.
[External Downloads] (LOW): The skill imports remote scripts in references/product-messaging.md from https://www.gstatic.com/. While this is a remote download, the source is within the Trusted External Scope (Google/Firebase), downgrading the severity per [TRUST-SCOPE-RULE].
[Command Execution] (MEDIUM): Multiple references (e.g., references/advanced-deploy.md, references/advanced-emulators.md) provide instructions for executing shell commands like ng deploy, firebase init, and curl -X DELETE. While standard for developer tools, these provide a vector for command injection if variables were populated from untrusted sources.
[Credentials Unsafe] (INFO): Hardcoded placeholders like apiKey: 'your-api-key' are found in references/core-setup.md. These are identified as placeholders and do not constitute an active leak.

angularfire