The Agent Skills Directory

[REMOTE_CODE_EXECUTION]: In Step 1 ('Exercise the Feature') of SKILL.md, the agent is instructed to run commands directly from the repository being analyzed (e.g., new/changed CLI commands, example library code) to verify functionality. This involves executing potentially untrusted code from the target repository within the agent's environment.
[DATA_EXFILTRATION]: The skill is designed to upload visual artifacts to 'catbox.moe' and 'litterbox.catbox.moe'. These are public, anonymous file-hosting services. This behavior constitutes data exfiltration of workspace content (UI screenshots, terminal outputs) to a third-party service not managed by the user or the vendor.
[COMMAND_EXECUTION]: The skill uses a Python helper script to execute various system utilities including 'ffmpeg', 'vhs', 'silicon', and 'curl' via subprocess calls. It also executes repository-specific commands to trigger observable behavior for capture.
[PROMPT_INJECTION]: The skill derives its capture plan (the 'capture hypothesis') from repository metadata such as branch names, PR titles, and PR descriptions. This represents an indirect prompt injection surface where a malicious contributor could influence the agent's actions (e.g., specific commands to run) by crafting these metadata fields. Evidence chain:
Ingestion points: SKILL.md Step 0 reads branch name, PR title, and PR description.
Boundary markers: Absent.
Capability inventory: Shell command execution (subprocess.run), browser automation (agent-browser), and network uploads (curl).
Sanitization: Absent; the skill relies on a manual user approval gate (AskUserQuestion) to mitigate risks.
[EXTERNAL_DOWNLOADS]: The skill's documentation and 'preflight' checks suggest the installation of several external binaries ('vhs', 'silicon', 'ffmpeg') via third-party package managers like Homebrew if they are not already present.

ce-demo-reel