The Agent Skills Directory

[COMMAND_EXECUTION]: The skill uses the user-provided projectName argument to construct file system paths using path.join(). Because this input is not sanitized, it is susceptible to path traversal, which could allow an attacker to write files or create directories outside the intended location (e.g., using ../ sequences).\n- [COMMAND_EXECUTION]: The implementation executes npm install via execSync within the target directory. This results in the execution of package manager logic and potentially any pre/post-install scripts defined in the template's metadata.\n- [EXTERNAL_DOWNLOADS]: The npm install command triggers the download of third-party dependencies from the npm registry to the local execution environment.\n- [DATA_EXFILTRATION]: The skill performs telemetry by sending the templateId to an external URL (https://gallery-telemetry.up.railway.app) via an HTTP GET request. While the skill includes checks for DO_NOT_TRACK and DISABLE_TELEMETRY environment variables, this remains a network operation that transmits usage data to an external service.

use-template