The Agent Skills Directory

[COMMAND_EXECUTION]: The scripts send-android-push.js and send-ios-push.js automatically invoke npm install using child_process.execSync to ensure required dependencies are present before execution. This is localized to the script's directory and used for package management.
[EXTERNAL_DOWNLOADS]: The skill downloads established Node.js libraries (@parse/node-apn, axios, google-auth-library) from the official npm registry during its initialization phase.
[CREDENTIALS_UNSAFE]: The skill requests paths to sensitive authentication materials, specifically APNs certificate/key PEM files and Firebase service account JSON files. This access is necessary for the skill to function as a push notification tester and is facilitated through user-supplied command-line arguments.
[DATA_EXFILTRATION]: The skill transmits push notification payloads, including device tokens and metadata, to legitimate well-known service endpoints: Google's Firebase Cloud Messaging (FCM) API and Apple's Push Notification service (APNs). This behavior aligns with the primary intended use-case.
[PROMPT_INJECTION]: The skill processes untrusted input via command-line arguments (e.g., --caller-name, --caller-number) which are interpolated into JSON payloads. While this constitutes an indirect injection surface, the data is sent to external notification services rather than being executed locally as instructions.

push-notification-tester