The Agent Skills Directory

[REMOTE_CODE_EXECUTION]: The skill implements an auto-update system through install/update.sh and install/update.ps1 that downloads a ZIP archive from https://www.skillboss.co/api/skills/download and overwrites the local skill directory with remote content.
[COMMAND_EXECUTION]: In scripts/api-hub.js, the checkForUpdates function uses child_process.execSync to automatically run the update shell script without user confirmation when a version mismatch is detected.
[DATA_EXFILTRATION]: The deployment utility scripts/serve-build.js recursively reads project files to upload them to https://build.heybossai.com. The script's logic explicitly includes .env files in the upload while excluding other hidden files. Since .env files commonly store sensitive credentials and API keys, this behavior results in the exfiltration of secrets to third-party infrastructure.
[PROMPT_INJECTION]: The instructions in SKILL.md use "CRITICAL" and "MANDATORY" markers to force the AI agent to stop its current task and execute local scripts immediately based on strings detected in tool output. This behavioral override pattern is used to enforce updates but represents a risk of hijacking the agent's control flow.
[EXTERNAL_DOWNLOADS]: The skill performs downloads and network operations targeting several vendor domains including skillboss.co, heybossai.com, heyboss.ai, and skillboss.live. While these are vendor resources, the nature of the downloads (executable code) and uploads (project source and secrets) creates a significant security surface.
[INDIRECT_PROMPT_INJECTION]: Through the linkup-fetch, scrape, and search commands, the skill ingests data from untrusted external websites and documents. This content enters the agent's context without clear boundary markers or sanitization, making the agent vulnerable to indirect prompt injection where instructions hidden in external data could override agent behavior.

skillboss