The Agent Skills Directory

[SAFE]: The skill follows standard development practices to automate package publishing. It relies on established tools such as npm, bun, and git to perform its tasks.
[COMMAND_EXECUTION]: The skill executes local commands through provided shell scripts (preflight.sh, release.sh, publish.sh, verify.sh). These commands include npm view for version checking, bun run build for compiling the package, git push for repository updates, and bun publish for registry submission. All executions are directly related to the skill's primary purpose.
[EXTERNAL_DOWNLOADS]: The skill communicates with the official npm registry (registry.npmjs.org) to verify versions and upload packages. These are standard operations for any publishing tool.
[PROMPT_INJECTION]: The SKILL.md includes strict operational instructions to ensure the agent uses the provided scripts and avoids manual intervention (e.g., 'NEVER ask the user for an OTP code'). These instructions are designed to maintain a consistent and secure workflow and do not attempt to bypass agent safety filters.
[DATA_EXPOSURE]: No hardcoded credentials or access to sensitive local files (like SSH keys or environment secrets) were detected. The scripts only interact with project-specific files such as package.json and CHANGELOG.md.

npm-publish