The Agent Skills Directory

[COMMAND_EXECUTION] (MEDIUM): The skill metadata requests 'Bash (*)' permissions, granting the agent unrestricted shell access. This violates the principle of least privilege, as the stated purpose of the skill (managing animations) does not require arbitrary command execution capabilities.
[REMOTE_CODE_EXECUTION] (MEDIUM): The Troubleshooting section refers to an external 'context7' skill for the 'latest API'. This creates an unverifiable dependency on a separate instruction set which could contain malicious content or high-privilege tools.
[EXTERNAL_DOWNLOADS] (LOW): The skill guides the agent to perform 'npm install @rive-app/react-canvas'. While this is a standard library from a known organization, downloading and installing packages from external registries always carries a baseline risk of supply chain compromise.

frontend-rive