The Agent Skills Directory

Prompt Injection (SAFE): No instructions were found that attempt to override agent behavior or bypass safety guidelines. The content is strictly technical documentation for the Whop API.
Data Exposure & Exfiltration (SAFE): The skill demonstrates best practices by using environment variables for credentials (e.g., WHOP_API_KEY). Although it references the non-whitelisted domain 'api.whop.com', this is integral to its primary purpose and does not involve unauthorized data exfiltration.
Obfuscation (SAFE): The skill content is clear and readable, with no evidence of Base64, zero-width characters, or other encoding techniques used to hide malicious intent.
Unverifiable Dependencies & Remote Code Execution (SAFE): No remote scripts are downloaded or executed, and no third-party package installations are initiated.
Privilege Escalation (SAFE): While the skill frontmatter requests the 'Bash' tool, the provided content does not include any commands to escalate privileges, modify system configurations, or bypass security controls.
Indirect Prompt Injection (SAFE):
Ingestion points: Documentation describes fetching data from the Whop API (e.g., membership and payment data).
Boundary markers: Code snippets assume a standard development environment and do not implement specific delimiters for external data.
Capability inventory: The skill allows access to 'Bash', 'Write', and 'Edit' tools.
Sanitization: The documentation correctly includes examples of webhook signature verification to ensure the integrity of incoming data.

whop