The Agent Skills Directory

[DATA_EXFILTRATION]: Unauthenticated Public Endpoint. The skill uses the localtunnel library to expose a local HTTP server to a public URL. This server is designed to receive and store logs via POST requests and serves them via GET /logs. The implementation lacks any authentication mechanism, meaning all logs collected from the user's development environment are publicly accessible to anyone who discovers the tunnel URL.
[DATA_EXFILTRATION]: Resource Exhaustion Risk. In src/index.ts and the bundled dist/index.cjs, the MAX_BODY_SIZE is set to 10GB (10 * 1024 * 1024 * 1024). This excessively high limit for a log-collection service allows a malicious actor to perform a Denial of Service (DoS) attack by filling the host's disk space with a single request.
[DATA_EXFILTRATION]: Sensitive Data Exposure. While SKILL.md contains a warning advising the AI to filter sensitive fields (like passwords or tokens), this is a non-binding prompt instruction. The actual server code does not perform any server-side sanitization or validation of the data being logged, relying entirely on the AI's adherence to the instructions when generating client-side code.
[PROMPT_INJECTION]: Indirect Ingestion Surface. The skill reads external data (logs) into the agent's context for analysis. This creates an indirect prompt injection surface where log content from a running application could influence the AI's decision-making process. The mandatory evidence chain for this category is as follows:
Ingestion points: GET /logs endpoint in src/index.ts reads from dev-logs.json.
Boundary markers: None observed in the log retrieval or analysis instructions.
Capability inventory: The skill can read/write files via fs and execute network requests via localtunnel and http.
Sanitization: No sanitization is performed on the log content before it is returned to the AI.

dev-log