The Agent Skills Directory

[COMMAND_EXECUTION]: The skill uses dynamic path resolution to locate its internal scripts. It derives VIBES_ROOT from the CLAUDE_PLUGIN_ROOT environment variable or by navigating two levels up from the skill's directory (CLAUDE_SKILL_DIR). It subsequently executes local JavaScript files such as generate-riff.js and assemble-all.js using the bun runtime via shell commands.\n- [PROMPT_INJECTION]: The skill exhibits a potential shell argument injection surface (Indirect Prompt Injection). User input for app themes and visual styles is collected via the AskUserQuestion tool and then interpolated into Bash commands in Step 3. Ingestion points: Step 1 AskUserQuestion (SKILL.md); Boundary markers: None; Capability inventory: Bash, Write, Read (SKILL.md); Sanitization: None.\n- [EXTERNAL_DOWNLOADS]: The skill's HTML templates (index.html and template.delta.html) reference and load multiple JavaScript libraries and CSS frameworks from well-known services, including unpkg.com, jsdelivr.net, and esm.sh (e.g., Babel, Tailwind, React). These are considered safe well-known technology providers.

riff