The Agent Skills Directory

[SAFE]: The skill contains utility scripts for skill development with built-in security controls.
[SAFE]: scripts/init_skill.py provides a controlled environment for initializing skill directories. It uses regular expression normalization (re.sub(r"[^a-z0-9]+", "-", normalized)) to ensure skill names are safe for the filesystem and prevents name-based injection.
[SAFE]: scripts/package_skill.py includes proactive security measures for file operations. It uses a helper function _is_within to verify that all files being packaged are physically located within the skill's root directory, effectively preventing directory traversal attacks. Additionally, it explicitly detects and skips symlinks to prevent arbitrary file inclusion or exfiltration via link manipulation.
[SAFE]: scripts/quick_validate.py implements safe data parsing. When the PyYAML library is available, it uses yaml.safe_load() to parse frontmatter, which prevents execution of arbitrary Python objects. It also includes a custom fallback parser for environments without PyYAML that performs simple string splitting without using dangerous functions like eval() or exec().
[SAFE]: The documentation in SKILL.md provides clear, instructional guidance on skill architecture and progressive disclosure of context without any attempts to bypass agent safety filters or override system instructions.

skill-creator