The Agent Skills Directory

[EXTERNAL_DOWNLOADS]: The skill instructs users to download the primary library as a .tgz archive from external platforms (Patreon or Lemon Squeezy) and install it as a local file dependency.
Evidence: rules/getting-started.md contains instructions to add "@dlcastillop/seo-in-nextjs": "file:./seo-in-nextjs-1.0.0.tgz" to dependencies.
Note: This method bypasses the automated security scanning and integrity checks provided by public package registries like NPM.
[COMMAND_EXECUTION]: The skill documentation recommends adding build and utility scripts to package.json that execute code dynamically using the node -e flag.
Evidence: rules/generate-llms-txt.md and rules/seo-check.md provide scripts that import and run functions directly from the @dlcastillop/seo-in-nextjs/scripts module via the command line.
[DATA_EXPOSURE]: No hardcoded credentials, API keys, or access to sensitive local files (like SSH keys or AWS configs) were detected. The use of baseUrl is standard for SEO configuration.
[PROMPT_INJECTION]: No attempts to override system prompts or bypass safety filters were found in the instructional content.
[INDIRECT_PROMPT_INJECTION]: The skill provides patterns for generating metadata by fetching content from external APIs, which represents a potential ingestion point for untrusted data.
Ingestion points: rules/generate-metadata.md (fetches from https://api.example.com/articles/${slug}).
Capability inventory: The skill can modify page headers (metadata) and write files (llms.txt, sitemap.xml, robots.txt) via the provided scripts.
Boundary markers: None present in the example code to handle potentially malicious content from API responses.
Sanitization: No explicit sanitization or validation of the fetched API data is shown before it is interpolated into metadata fields.

seo-in-nextjs