The Agent Skills Directory

EXTERNAL_DOWNLOADS (SAFE): The skill depends on the official openai Node.js package from a trusted organization. This dependency is considered safe under the [TRUST-SCOPE-RULE].\n- COMMAND_EXECUTION (SAFE): The scripts/check-versions.sh script is a benign utility that uses npm list to check for compatible package versions.\n- DATA_EXFILTRATION (SAFE): The skill correctly uses environment variables for API key management and does not exhibit patterns of unauthorized data transmission.\n- INDIRECT_PROMPT_INJECTION (LOW): The skill enables Retrieval-Augmented Generation (RAG) and data analysis tools that process external files. Evidence Chain: (1) Ingestion points: file-search-assistant.ts and code-interpreter-assistant.ts; (2) Boundary markers: Absent; (3) Capability inventory: File reading and Python code execution in a sandboxed environment; (4) Sanitization: Not implemented in these example templates.\n- MALICIOUS_URL (SAFE): The automated scan alert for openai.beta.threads.me is identified as a false positive. The scanner likely misinterpreted the SDK namespace openai.beta.threads.messages as a phishing URL by detecting the .me string as a top-level domain within the property path.

openai-assistants