The Agent Skills Directory

[Data Exposure & Exfiltration] (SAFE): The deployment guidelines explicitly warn against exposing secrets via 'VITE_' prefixed environment variables. It distinguishes between client-accessible and server-only configurations correctly.
[Remote Code Execution] (SAFE): Suggested packages and dependencies are from established ecosystems (TanStack, Vite, Cloudflare). No use of 'curl | bash' or similar risky execution patterns was found.
[Prompt Injection] (SAFE): There are no instructions that attempt to override system prompts or bypass security filters.
[Input Validation] (SAFE): A dedicated rule ('sf-validation.md') treats input validation as a HIGH priority, providing clear examples using Zod and other standard schema libraries to protect against malformed or malicious data entering server functions.
[Obfuscation] (SAFE): All files are written in clear Markdown and TypeScript. No Base64-encoded payloads or hidden Unicode characters were detected.
[Indirect Prompt Injection] (LOW): While the skill describes processing external data (webhooks and API requests), it provides robust evidence chains for security: 1) Ingestion points are clearly defined in 'api-routes.md'; 2) Boundary markers are enforced via '.inputValidator()'; 3) Capabilities are limited to defined handlers; 4) Sanitization is recommended through Zod schema validation.

tanstack-start