The Agent Skills Directory

[EXTERNAL_DOWNLOADS]: The skill documentation and templates reference the integration of visualization libraries like Apache ECharts, D3.js, and Chart.js via well-known content delivery networks such as jsDelivr and Unpkg. These are documented as standard implementation patterns for SAC Web Components and do not represent a security risk.
[DATA_EXFILTRATION]: Documentation outlines legitimate deployment workflows for custom widgets, including hosting on GitHub Pages, AWS S3, or the internal SAC file system. No patterns involving unauthorized data harvesting, hardcoded credentials, or sensitive file access were identified.
[REMOTE_CODE_EXECUTION]: The skill assists in the generation of client-side JavaScript for Web Components. These components execute within the sandboxed browser environment provided by the SAC framework, and the skill contains no mechanisms for executing arbitrary code or commands on the developer's host system.
[PROMPT_INJECTION]: The skill generates code for processing and displaying data from SAC models. To mitigate potential security risks, the 'Best Practices' reference explicitly includes implementation guides for HTML sanitization to prevent Cross-Site Scripting (XSS) and other injection vulnerabilities.
[COMMAND_EXECUTION]: Slash commands defined for the skill (/widget-validate, /widget-lint) provide development utility for checking project structure and performance. These tools are scoped to the local project files and do not perform any privileged or persistence-related operations.

sap-sac-custom-widget