The Agent Skills Directory

[COMMAND_EXECUTION]: The skill provides numerous examples and templates that involve executing JavaScript within the httpYac environment. This includes the use of Node.js built-in modules such as fs for file system operations like fs.writeFileSync and fs.readFileSync (documented in references/ADVANCED_FEATURES.md) and child_process for executing shell commands, specifically the use of the security command to fetch macOS keychain secrets in references/SECURITY.md.
[DATA_EXFILTRATION]: The skill's primary function is to handle and transmit API credentials and tokens. While it emphasizes security best practices like using .env files and .gitignore, the operational logic involves sending sensitive data to remote API endpoints and potentially logging truncated versions of these secrets as seen in references/AUTHENTICATION_PATTERNS.md.
[PROMPT_INJECTION]: The skill is designed to ingest and process external data, such as Swagger/OpenAPI specifications or Postman collections (identified in SKILL.md), to generate executable test scripts. This workflow presents an indirect prompt injection surface where malicious instructions embedded in the source documentation could influence the generated code or subsequent agent actions. Mandatory Evidence: Ingestion points include API specs and documentation URLs; Boundary markers are absent in generated files; Capabilities include network (axios), file system (fs), and shell (exec); Sanitization is not explicitly implemented during code generation.
[EXTERNAL_DOWNLOADS]: The documentation references and provides instructions for installing the httpyac CLI tool and various Node.js dependencies (e.g., axios, chai, faker, ajv) from the NPM registry. These are well-known packages and tools within the developer ecosystem and are treated as safe references.

vscode-httpyac-config