The Agent Skills Directory

[COMMAND_EXECUTION] (MEDIUM): The skill documentation instructs the execution of multiple shell scripts located in the scripts/ directory, including setup-project.sh, init-services.sh, enable-auth.sh, and enable-ai-chat.sh.
Evidence: These scripts are described as having capabilities to modify the filesystem (cp -r), run build commands (npm install), and update configuration files (wrangler.jsonc, .dev.vars).
Risk: The scripts are not provided for direct analysis, and their description indicates they interact with sensitive setup processes.
[EXTERNAL_DOWNLOADS] (LOW): The workflow relies on npm install to download a large number of third-party packages.
Evidence: The skill references package.json containing dependencies for React, Hono, AI SDK, and Clerk.
Risk: Standard dependency risk associated with supply-chain attacks, exacerbated by the 'all Cloudflare services' scope.
[CREDENTIALS_UNSAFE] (LOW): The skill specifically targets the handling of sensitive credentials.
Evidence: enable-auth.sh and enable-ai-chat.sh are described as 'prompting for API keys' and updating .dev.vars files.
Risk: While this is a standard developer workflow, the handling of keys by unverified scripts is a sensitive data surface.
[PROMPT_INJECTION] (LOW): The skill implements a 'Session handoff protocol' via SCRATCHPAD.md to bridge context between AI sessions.
Category 8 (Indirect Prompt Injection) Evidence Chain:
Ingestion points: SCRATCHPAD.md file reads and writes.
Boundary markers: None mentioned in the README for delimiting handoff data.
Capability inventory: Shell script execution, filesystem writes, and network operations (via wrangler).
Sanitization: No mention of sanitizing the content passed between sessions via the scratchpad.

cloudflare-full-stack-scaffold