The Agent Skills Directory

[External Downloads] (MEDIUM): The skill downloads and executes third-party code from the NPM registry using npx and npm install. These packages are not from the predefined list of trusted organizations.
Evidence: Multiple bash examples utilize npx @graphql-inspector/cli and npm install -g @graphql-inspector/cli to perform schema operations.
[Command Execution] (LOW): The skill relies on the Bash tool to run CLI commands that parse files and interact with network services.
Evidence: Core functionality is delivered via bash snippets that execute the inspector tool against user-provided file paths and URLs.
[Indirect Prompt Injection] (LOW): The skill creates a surface for indirect prompt injection by ingesting and processing external schema data from files, Git history, and remote APIs.
Ingestion points: Local .graphql files, git branch contents, and responses from remote URLs (e.g., https://api.example.com/graphql).
Boundary markers: Not present; the agent parses the output of external tools that process these data sources without explicit delimiters.
Capability inventory: Bash, Read, Write, Edit, Glob, Grep.
Sanitization: Not present; the tool expects valid GraphQL schemas but the agent does not pre-sanitize the content against embedded instructions.

graphql-inspector-diff