The Agent Skills Directory

[COMMAND_EXECUTION]: The skill relies on complex shell command pipelines in resources/getdesign-fetcher.md and resources/stitch-integration.md to automate its workflow. These scripts use system utilities including curl, python3, tar, shasum, awk, and rm. For example, it pipes curl output to python3 for JSON parsing and uses tar to extract specific files from downloaded tarballs.
[REMOTE_CODE_EXECUTION]: The skill executes external CLI tools directly from the npm registry using npx and bunx. Specifically, it calls bunx getdesign@latest for template management and npx @_davideast/stitch-mcp for optional design integration. Because these are unpinned (@latest), they present a supply-chain risk where a compromised upstream package could execute arbitrary code on the host system.
[EXTERNAL_DOWNLOADS]: The skill performs multiple external network requests to non-whitelisted domains to fetch metadata and design templates. It queries https://registry.npmjs.org/getdesign/latest to resolve package URLs and downloads markdown templates from the getdesign.md vendor site. While the fetcher implementation includes integrity verification, the initial manifest retrieval and tool execution occur before these checks.
[PROMPT_INJECTION]: The skill identifies external design templates as a potential indirect prompt injection vector. It implements a defensive framing strategy in resources/getdesign-fetcher.md that instructs the agent to treat fetched content as reference data and explicitly ignore any imperative or meta-instructions within the external files.

oma-design