The Agent Skills Directory

Indirect Prompt Injection (HIGH): The skill possesses a significant attack surface for indirect prompt injection.
Ingestion points: The skill reads external project files using cat and rg (e.g., src/*.ts, file.ts, legacy.ts) in almost every operation.
Boundary markers: None. Source code is directly interpolated into prompts (e.g., Convert this JavaScript to TypeScript: $CODE). There are no delimiters or instructions to the AI to ignore embedded commands within the code.
Capability inventory: The skill utilizes powerful shell capabilities including mv, sed -i (file modification), and npx jscodeshift (AST manipulation). An agent using this skill typically has broad file system access.
Sanitization: No sanitization or filtering is performed on the ingested code before it is sent to the LLM.
Command Execution (MEDIUM): The skill frequently uses shell interpolation and execution ($(cat ...), $(rg ...)). While common in CLI tools, this pattern can lead to command injection if filenames or directory structures are manipulated by an attacker to include shell metacharacters.
Dynamic Execution (MEDIUM): The skill encourages the creation and execution of jscodeshift transforms (npx jscodeshift -t transform.ts). This involves executing JavaScript code that could be modified by external actors in a collaborative environment.
External Downloads (LOW): The skill requires installing google-generativeai, jscodeshift, and typescript. These are from trusted sources (Google and the official npm registry) and are standard for the tool's purpose, but represent an external dependency chain.
Data Exposure (LOW): The skill is designed to send local source code to an external AI provider (Google). While this is the intended functionality, users should be aware that sensitive code content is transmitted over the network.

refactor