The Agent Skills Directory

Remote Code Execution (HIGH): The skill's documentation contains dangerous shell piping patterns from domains not included in the Trusted External Sources list.
Evidence: GETTING_STARTED.md and templates/basic-app/README.md both recommend installing software using curl ... | sh for Rustup (https://sh.rustup.rs) and wasm-pack (https://rustwasm.github.io/wasm-pack/installer/init.sh).
External Downloads (HIGH): The skill relies on a git submodule (source/) to provide its core content, including documentation, examples, and project templates. This represents a significant supply-chain risk as the agent is instructed to interact with and trust content from this external repository.
Evidence: The skill uses git submodule update --remote source to pull the latest content from the remote repository without version pinning or integrity verification within the skill manifest.
Indirect Prompt Injection (HIGH): The skill has a large attack surface for indirect injection by ingesting and referencing content from the source/ submodule (e.g., @source/docs/, @source/examples/).
Ingestion points: Multiple references in README.md, docs/README.md, and examples/README.md to external content.
Capability inventory: The templates provide a environment where cargo run is expected to be used, which executes build.rs scripts that can contain arbitrary code.
Boundary markers: None identified. The agent is encouraged to directly interpret and use external content to guide the user.
Automated Scan Alert (INFO): An automated scanner flagged a blacklisted URL pattern in main.rs. While the specific malicious string is not immediately apparent in the visible text, the presence of untrusted remote execution patterns in the project supports a high-risk assessment.

lib-slint-expert