The Agent Skills Directory

[COMMAND_EXECUTION]: The documentation includes standard setup commands for initializing a project and installing dependencies.
Evidence: Commands such as mkdir explainer, npm init -y, and npm install are provided as instructions for users to set up the local environment.
[CREDENTIALS_UNSAFE]: The skill correctly handles sensitive information by instructing users to use environment variables for API keys.
Evidence: The reference implementation uses process.env.GEMINI_API_KEY and provides a template .env file, adhering to security best practices for credential management.
[DATA_EXPOSURE]: The application writes generated images to a local directory and serves them statically.
Evidence: The server script uses path.join('public', 'generated') and validates parentId inputs against a hexadecimal regex (/^[0-9a-f]{32}$/), which effectively prevents path traversal attacks when accessing the filesystem.
[PROMPT_INJECTION]: The skill implements an architecture where user-supplied queries are interpolated into prompts for an AI model.
Evidence: The firstPagePrompt function takes a query string and inserts it into a template. While this is an indirect injection surface, the risk is mitigated as the model output is restricted to image generation, and input length is validated.

illustrated-explainer-spec