The Agent Skills Directory

[SAFE]: The skill promotes secure development practices. In 'references/skill-specs.md' and 'assets/skill-templates/api-skill.md', users are explicitly instructed to avoid hardcoding API keys and instead use environment variables and the 'skill_credentials' platform tool for secret management.- [SAFE]: The 'scripts/website-analyzer.py' file is a benign simulation script that demonstrates the analysis workflow without performing any unauthorized network requests, file system modifications, or credential harvesting.- [PROMPT_INJECTION]: The skill's primary function involves ingesting external data from websites via 'WebFetch', which introduces a surface for indirect prompt injection. However, this is inherent to its purpose as a documentation analyzer and no malicious instructions were found in the skill content itself. -- Ingestion points: 'references/web-analysis-flow.md' and 'references/document-analysis-flow.md' specify fetching content from technical URLs. -- Boundary markers: Absent from the templates. -- Capability inventory: The skill uses 'WebFetch', 'Read', and 'search' tools. -- Sanitization: No explicit content filtering is defined for the ingested technical text.

skill-factory