The Agent Skills Directory

Indirect Prompt Injection (HIGH): The skill consumes untrusted natural language requests to plan and implement application features, creating a significant attack surface.
Ingestion points: User requests analyzed in SKILL.md and project-detection.md to drive project generation.
Boundary markers: Absent. There are no delimiters or instructions to help the agent distinguish between valid feature requests and malicious instructions embedded in the user prompt.
Capability inventory: Access to Bash, Write, Edit, and Agent tools across all files, enabling complete control over the filesystem and shell execution.
Sanitization: Absent. The feature-building.md logic encourages the agent to analyze requests and apply changes directly to the codebase without safety filtering.
Command Execution (HIGH): The SKILL.md frontmatter explicitly allows the Bash tool. The agent uses this to execute complex setup and build commands, such as npm run dev, uvicorn, and npx expo start. This capability, when combined with unvalidated user input, allows for arbitrary remote code execution on the user's environment.
External Downloads (MEDIUM): Most templates (e.g., templates/cli-tool/TEMPLATE.md, templates/python-fastapi/TEMPLATE.md) rely on installing third-party packages from public registries at runtime.
Risk: Without strict version pinning or verification, the agent might install malicious or typosquatted packages if suggested by a malicious user prompt.
Evidence: Use of npm install, pip install, and npx across 12 template files.

app-builder