The Agent Skills Directory

EXTERNAL_DOWNLOADS (MEDIUM): The skill's primary installation instructions (found in SKILL.md, templates/installation.md, and examples/guide/installation.md) recommend installing the @qiun/ucharts package via npm, yarn, or pnpm. Because the @qiun organization is not listed among the trusted GitHub organizations or repositories defined in the security scope, the dependency is considered unverifiable. Users should perform a manual audit of the package before installation.
PROMPT_INJECTION (LOW): The skill exhibits an Indirect Prompt Injection surface (Category 8) because it processes untrusted external data to generate charts. 1. Ingestion points: External data enters the agent context through the chartData property in Vue templates (e.g., in examples/charts/line.md). 2. Boundary markers: There are no markers or system instructions provided to help the agent distinguish between data and potentially embedded instructions. 3. Capability inventory: The skill includes network fetching via the fetch() API and reactive component rendering; however, no arbitrary command execution or file system write operations were detected. 4. Sanitization: There is no evidence of input validation or sanitization in the provided templates. The severity is LOW because the capability is restricted to 'Display only' (Tier: INFO).

ucharts