The Agent Skills Directory

[COMMAND_EXECUTION] (LOW): The script scripts/check-csp.sh executes the curl command using a user-provided URL. While the script's logic is limited to fetching and parsing HTTP headers, the ability to execute network commands on arbitrary inputs is a security consideration for the agent.
[DATA_EXFILTRATION] (LOW): The utility script scripts/check-csp.sh performs network operations to non-whitelisted domains (based on user input). However, no sensitive data access was found in conjunction with these operations.
[INDIRECT_PROMPT_INJECTION] (LOW): The skill has an attack surface where it processes data from untrusted external sources (HTTP headers).
Ingestion points: scripts/check-csp.sh fetches and parses headers from external URLs.
Boundary markers: Absent.
Capability inventory: curl execution and header parsing.
Sanitization: Absent; the script uses grep and sed on the raw output of the curl command.
[EXTERNAL_DOWNLOADS] (SAFE): The skill references the @marsidev/react-turnstile and turnstile-types packages. These are standard, well-known libraries for Turnstile integration and do not involve suspicious remote execution.
[CREDENTIALS_UNSAFE] (SAFE): The skill includes hardcoded keys in templates/turnstile-test-config.ts (e.g., 1x00000000000000000000AA). These are officially documented public test keys provided by Cloudflare for development and do not constitute a secret leak.

cloudflare-turnstile