The Agent Skills Directory

EXTERNAL_DOWNLOADS (LOW): The skill references and encourages the use of external scripts from 'https://cdn.jsdelivr.net'. While version pinning (e.g., 'preact@10.24.3') is used, these are external dependencies not hosted on a pre-approved trusted source defined in the security policy.
DYNAMIC_EXECUTION (MEDIUM): In 'SKILL.md', the example for lazy loading pages uses a computed path: 'import(./pages/${name}.js)'. If the 'name' variable is derived from untrusted sources like 'location.hash' or URL parameters without strict allow-listing or sanitization, it could allow an attacker to load arbitrary JavaScript modules from the server or perform directory traversal within the web root.
COMMAND_EXECUTION (LOW): The documentation suggests running 'npx serve' or 'python3 -m http.server'. These are standard local development commands and pose minimal risk in this context, but do involve shell execution.
INDIRECT_PROMPT_INJECTION (LOW): (Category 8) The skill constructs applications that ingest data from 'location.hash' (Ingestion point: 'assets/starter/app.js'). While it primarily influences client-side routing, the lack of boundary markers or sanitization for this input is a minor vulnerability surface. Mandatory Evidence: 1. Ingestion point: 'location.hash' in 'assets/starter/app.js'. 2. Boundary markers: Absent. 3. Capability inventory: Dynamic component rendering based on hash. 4. Sanitization: Absent.

preact-buildless-frontend