The Agent Skills Directory

[COMMAND_EXECUTION]: The skill uses scripts/start-server.sh to launch a local Node.js server (server.cjs). This server is used to host a 'Visual Companion' interface for interactive design reviews. The server is configured to bind to the local loopback interface (127.0.0.1) by default, limiting exposure to the local machine.
[PROMPT_INJECTION]: Indirect prompt injection surface identified (Category 8). The skill instructions direct the agent to 'Explore project context' by reading existing files, documentation, and commit history. If these project files contain malicious instructions, they could influence the agent's behavior. However, the skill includes a 'HARD-GATE' requirement, mandating explicit user approval of designs before any code is written or executed, which serves as a significant control.
[EXTERNAL_DOWNLOADS]: Documentation in visual-companion.md suggests using images from Unsplash for mockups. This is a standard design practice and does not involve downloading executable scripts or code. The server itself is dependency-free, utilizing only Node.js built-in modules like http, crypto, and fs.

brainstorming