The Agent Skills Directory

[SAFE]: The skill provides instructions for generating a financial dashboard from local JSON data files. It includes specific privacy guardrails, such as masking account identifiers (e.g., ****1234) and explicitly forbidding the inclusion of sensitive personal information like Social Security Numbers.
[EXTERNAL_DOWNLOADS]: The skill fetches the D3.js library from jsDelivr, a well-known CDN. It correctly specifies the use of subresource integrity (SRI) hashes to ensure the external code has not been tampered with, which is a standard security best practice for web-based reports.
[PROMPT_INJECTION]: The skill has a surface for indirect prompt injection because it reads and processes external data (such as transaction notes or alerts) and embeds them into a generated HTML file.
Ingestion points: Local finance data files including transactions.json, accounts.json, and reports/alerts/.
Boundary markers: None explicitly defined to isolate text data within the generated HTML scaffold.
Capability inventory: Generates executable HTML/JavaScript files that can be opened in a browser.
Sanitization: The skill mandates masking of account numbers but does not explicitly instruct on HTML escaping for arbitrary string fields, which could potentially lead to cross-site scripting (XSS) if input data is malicious.

household-finance-dashboard-builder