The Agent Skills Directory

[DATA_EXFILTRATION]: The skill uses a script named mtga-import to access the MTG Arena Player.log file. This is used to import the user's card collection into the tool's logic. This access to a local sensitive file is part of the core functionality and is used for inventory management within the skill.
[EXTERNAL_DOWNLOADS]: The skill utilizes network-enabled scripts like web-fetch and download-bulk to retrieve card information, pricing, and community-driven deck data from external MTG services. These downloads are standard for the intended use-case of building and validating Magic: The Gathering decks.
[COMMAND_EXECUTION]: The skill invokes multiple local Python scripts through uv run. The documentation specifically addresses the risk of command injection from special characters in card names (e.g., apostrophes) and provides best practices for the agent to handle these safely using the Write tool and absolute paths.
[PROMPT_INJECTION]: The skill includes an indirect prompt injection surface as it processes external data from user-provided decklists and web pages.
Ingestion points: parse-deck (reads user-provided collection and deck files in SKILL.md) and web-fetch (retrieves web articles in SKILL.md).
Boundary markers: Absent; the skill does not define specific delimiters or instructions to treat external data as untrusted.
Capability inventory: The skill can execute various subprocesses via defined scripts in pyproject.toml, perform file system writes using the Write tool, and conduct network requests via web-fetch.
Sanitization: Absent; no explicit sanitization or validation of the fetched external data is mentioned in the instructions.

commander-builder