The Agent Skills Directory

[SAFE]: The skill implements strong security controls in its utility scripts. The _validate_webhook_url function in scripts/dev_tools.py prevents Server-Side Request Forgery (SSRF) by blocking private IP ranges, loopback addresses, and cloud metadata endpoints. Similarly, _safe_output_path and _safe_input_file functions prevent path traversal attacks by ensuring file operations are confined to the current working directory.
[COMMAND_EXECUTION]: The skill includes Python scripts that interact with the Klaviyo API. These operations are limited to authenticated API calls using the official klaviyo-api SDK and are used for documented integration tasks like event tracking and profile management.
[EXTERNAL_DOWNLOADS]: Dependencies listed in requirements.txt (klaviyo-api, python-dotenv) are standard, well-maintained libraries from a well-known service provider (Klaviyo).
[CREDENTIALS_UNSAFE]: No hardcoded credentials were found. The skill follows best practices by using a .env.example file and instructing users to store API keys in environment variables, which are then loaded securely via python-dotenv.
[PROMPT_INJECTION]: The instructions are focused on providing developer guidance and do not contain patterns attempting to bypass agent safety filters or override system constraints.
[DATA_EXFILTRATION]: While the skill can export data to CSV files, these actions are user-initiated via CLI tools and include security checks to prevent unauthorized file system access. Network activity is limited to the official Klaviyo API endpoints.

klaviyo-developer