The Agent Skills Directory

Remote Code Execution (HIGH): The skill recommends executing remote scripts with full system permissions.
Evidence: The command deno run -Ar jsr:@fresh/init is promoted for project setup. The -A flag (alias for --allow-all) bypasses Deno's permission sandbox entirely, granting the script full access to the network, file system, and environment.
Source Risk: The source jsr.io is not included in the Trusted External Sources list, making the execution of these scripts a high-risk operation.
Indirect Prompt Injection (HIGH): The skill's primary purpose is to review and debug user-provided Deno/Fresh code, which is a major attack surface for indirect injections.
Ingestion Points: User-provided code snippets, project files, and dependency lists (SKILL.md).
Boundary Markers: Absent. There are no instructions for the agent to use delimiters or to treat comments within user code as untrusted data.
Capability Inventory: The skill is authorized to recommend and guide the execution of commands like deno run, deno add, and deno deploy, which could be manipulated by malicious instructions embedded in the code being reviewed.
Sanitization: None. The agent does not verify or sanitize the content of the external code before incorporating it into its reasoning or recommended commands.
Command Execution (MEDIUM): Recommends potentially dangerous environment-altering commands.
Evidence: Commands such as deno deploy env add and deno run --allow-net are suggested without warnings about the risks of exposing secrets or granting network access to unvetted scripts.

deno-expert