The Agent Skills Directory

EXTERNAL_DOWNLOADS (LOW): The firebase-messaging-sw.js file uses importScripts to load Firebase SDKs from gstatic.com. This is a trusted Google-controlled domain, qualifying for a severity downgrade per security guidelines.- INDIRECT_PROMPT_INJECTION (LOW): The skill establishes an ingestion point for external data via FCM push notifications (setBackgroundMessageHandler and Dart stream). However, the capability is limited to UI notifications and console logging, presenting no path for agent instruction override.- CREDENTIALS_UNSAFE (INFO): The configuration object contains placeholders like API_KEY and PROJECT_ID. These are standard instructional markers for user input and do not represent a leak of sensitive credentials.

how-to-send-push-notifications-on-flutter-web-fcm