The Agent Skills Directory

[COMMAND_EXECUTION]: The skill provides various bash commands for installation (git clone) and for running the data pipeline script (python scripts/data_pipeline.py). These commands are standard for developer-oriented skills and are used to manage data synchronization tasks.
[EXTERNAL_DOWNLOADS]: The data pipeline script fetches marketing metrics from official APIs including Klaviyo (a.klaviyo.com) and Shopify store domains. These are well-known services and the downloads are part of the skill's core functionality.
[DATA_EXFILTRATION]: The skill facilitates the movement of sensitive marketing data (order totals, customer counts, campaign performance) from source APIs to Google Sheets. While this involves transferring data externally, the flow is from the user's own marketing accounts to their own Google Workspace, targeting well-known services (Google, Shopify, Klaviyo).
[CREDENTIALS_UNSAFE]: The skill handles sensitive API tokens and service account keys. It demonstrates safe practices by using environment variables, providing a .env.example template, and explicitly instructing the user to avoid hardcoding secrets and to use .gitignore to prevent credential exposure in version control.
[PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface because it ingests data from external APIs (such as campaign names or flow titles) and writes them to spreadsheets. If an agent later processes this data as instructions, a malicious campaign name could influence behavior. However, this is a standard risk for data-processing skills and is assessed as low risk due to the nature of the data involved.
[SAFE]: The skill's architecture is transparent, well-documented, and utilizes standard industry libraries for its operations. No malicious patterns such as obfuscation or persistence mechanisms were detected.

looker-studio