The Agent Skills Directory

[COMMAND_EXECUTION]: The script scripts/nocobase-api.sh uses the source command on a .env file located in the user's current working directory. This is a form of dynamic code execution; if the .env file contains malicious shell commands instead of simple variable assignments, those commands will be executed with the privileges of the agent.
[CREDENTIALS_UNSAFE]: The skill is designed to handle and store a NOCOBASE_API_TOKEN. It encourages users to place these credentials in environment variables or a plain-text .env file. While the skill includes a .gitignore to prevent accidental commits, storing secrets in local files increases the surface area for credential theft.
[EXTERNAL_DOWNLOADS]: The skill uses the curl utility to send data to and retrieve data from NocoBase API endpoints. This is the primary function of the skill and targets the vendor's infrastructure, but it involves outbound network communication based on user-provided endpoints.
[COMMAND_EXECUTION]: The script constructs a curl command using user-supplied arguments for the HTTP method, endpoint, and data payload. While there is a basic check for the HTTP method, the endpoint and data arguments are passed directly to curl, which could be exploited if the agent is tricked into using malicious arguments.

nocobase-api-call