The Agent Skills Directory

[Unverifiable Dependencies & Remote Code Execution]: The skill facilitates the download of V8 source code (evidence: curl -sL "https://github.com/v8/v8/archive/refs/tags/<new_version>.tar.gz") and subsequent building of the project (evidence: just build). This is a standard procedure for updating core components and targets a well-known repository.
[Integrity Verification]: To ensure the security of the update process, the skill includes instructions for computing SHA256 integrity hashes (evidence: openssl dgst -sha256 -binary v8.tar.gz). This step is intended to verify that the downloaded source code has not been tampered with before use.
[Command Execution]: The workflow relies on standard system utilities such as git, curl, python3, and openssl, as well as project-specific tools like just. These tools are necessary for managing source code patches, automating dependency updates, and executing test suites.
[Indirect Prompt Injection]: This category addresses potential vulnerabilities when processing external data. (1) Ingestion points: The skill reads version data from chromiumdash.appspot.com and dependency commits from v8/DEPS. (2) Boundary markers: No explicit prompt boundaries or sanitization warnings are defined for these inputs. (3) Capability inventory: The skill utilizes subprocess calls like git, curl, and just for building and testing. (4) Sanitization: External data is used directly in commands without formal sanitization, though the skill mandates human-in-the-loop confirmation at each stage to mitigate risks.

update-v8