The Agent Skills Directory

[COMMAND_EXECUTION]: The skill instructs the agent to execute shell commands for project scaffolding and dependency management, specifically npm create convex@latest and npm install. It correctly flags that npx convex dev involves interactive authentication and should be handled by the user rather than the agent.
[EXTERNAL_DOWNLOADS]: The skill facilitates the download and execution of project templates. While it defaults to official templates, it documents a feature allowing the use of arbitrary GitHub repositories as templates via the -t owner/repo flag, which constitutes a remote code execution surface if an untrusted repository is provided.
[PROMPT_INJECTION]: The skill exhibits a surface for indirect prompt injection due to the direct interpolation of user-supplied strings into shell commands. Ingestion points: User input for project names and custom GitHub template identifiers (in SKILL.md). Boundary markers: Absent; the instructions do not prescribe the use of quotes or shell-safe delimiters when constructing commands. Capability inventory: The agent uses subprocess execution for npm and npx commands. Sanitization: The skill lacks instructions for validating or sanitizing user-provided strings before they are passed to the shell.

convex-quickstart