The Agent Skills Directory

[COMMAND_EXECUTION]: The skill uses the Bash tool to run local Node.js scripts (e.g., parse-flow-prompt.js, detect-project-conventions.js, validate-flow-graph.js) for internal logic and validation. It also executes npx playwright test to perform navigation smoke tests on the generated code. These commands are necessary for the skill's stated purpose and are restricted to the local environment.
[DATA_EXPOSURE_AND_EXFILTRATION]: The skill reads project configuration files such as .claude/d2c/design-tokens.json and scans the application source code to detect existing project conventions (e.g., Server vs. Client components). This data is used solely to ensure the generated code integrates correctly with the host project. No network calls to non-whitelisted domains or exfiltration of sensitive files were observed.
[INDIRECT_PROMPT_INJECTION]: The skill ingests data from external Figma files via the mcp__figma tool. This is a standard ingestion point for design-to-code tools. The skill mitigates risks by parsing this data into a structured Intermediate Representation (IR) and validating it against a strict JSON schema before any code generation occurs.
[REMOTE_CODE_EXECUTION]: No remote code execution patterns were found. The skill does not use curl | bash or similar patterns. It suggests standard, well-known libraries like @tanstack/react-query or react-error-boundary if they are already present in the user's project.

d2c-build-flow