The Agent Skills Directory

[CREDENTIALS_UNSAFE]: The skill collects the user's Clerk Secret Key via the AskUserQuestion tool and subsequently passes it as a command-line argument to a Node.js script (deploy-connect.js). Credentials passed as CLI arguments are insecure because they are typically visible in the system's process list (e.g., via the ps command) and may be saved in shell history files.
[COMMAND_EXECUTION]: The deployment command interpolates the user-provided <codename> directly into a Bash execution string without visible sanitization. A malicious or accidental input containing shell metacharacters (e.g., ;, &, |, or backticks) could result in arbitrary command execution on the host machine.
[EXTERNAL_DOWNLOADS]: The skill invokes npm install to ensure its internal dependencies are present before execution. This involves downloading third-party packages from the public npm registry.
[REMOTE_OPERATIONS]: The skill performs SSH operations to a third-party service (exe.dev) and clones a Git repository (selem/docker-for-all) onto a remote VM. While this is the intended functionality for a deployment tool, users should be aware of the external infrastructure involved.

connect