The Agent Skills Directory

[REMOTE_CODE_EXECUTION]: The skill utilizes 'npx ai-eslint-config' to download and execute code from the NPM registry at runtime. This allows for the execution of logic not contained within the skill source code.
[EXTERNAL_DOWNLOADS]: The package 'ai-eslint-config' is fetched from the public NPM registry. This source is not identified as a trusted organization or well-known service in the security configuration.
[COMMAND_EXECUTION]: Multiple shell commands are suggested for execution, including 'npx ai-eslint-config' with flags like '--format' and '--dir'.
[CREDENTIALS_UNSAFE]: The skill explicitly requires the 'OPENAI_API_KEY' environment variable. Although no secret is hardcoded, the external package executed via npx gains access to this sensitive credential in the process environment.
[DATA_EXFILTRATION]: The tool is designed to read files from the user's codebase. Since it also requires an API key for network-based AI services, there is a technical path for local data to be transmitted externally.
[PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface. 1. Ingestion points: Reads codebase files to identify patterns. 2. Boundary markers: Absent. 3. Capability inventory: Subprocess execution via npx and file system read access. 4. Sanitization: No sanitization or validation of input files is documented before processing.

eslint-config-gen