The Agent Skills Directory

SAFE (SAFE): The skill provides structured guidance for Turborepo, including configuration of turbo.json, optimization of build pipelines, and CI setup. No security violations were found.
Prompt Injection (SAFE): No evidence of instructions attempting to bypass safety filters or override system prompts. The workflow uses clear boundary markers (<user-request>) for user input.
Data Exposure & Exfiltration (SAFE): The skill discusses the use of environment variables like TURBO_TOKEN and AWS_SECRET_KEY purely in a documentation context, demonstrating how to properly handle them in a monorepo (e.g., using passThroughEnv or GitHub Secrets). There are no commands that attempt to leak or exfiltrate these values.
Obfuscation (SAFE): No use of Base64, zero-width characters, homoglyphs, or other encoding techniques to hide malicious intent.
Unverifiable Dependencies & Remote Code Execution (SAFE): All suggested package installations (e.g., turbo, syncpack, manypkg, sherif) and command invocations (npx turbo-ignore) are standard tools within the Vercel/Node.js ecosystem for monorepo management.
Indirect Prompt Injection (LOW): The skill processes untrusted user input via the $ARGUMENTS variable to determine which Turborepo tasks to perform. While this is a high-capability surface (file modification and command generation), the risk is mitigated by explicit boundary markers and a strictly defined workflow that adheres to known build system patterns.

turborepo