The Agent Skills Directory

[SAFE]: The skill documents interactions with the official PandaDoc API at api.pandadoc.com, which is a well-known and trusted service.
[SAFE]: Sensitive credentials like API keys and OAuth tokens are handled using placeholders ({{api_key}}, {{oauth_token}}) rather than being hardcoded, aligning with security best practices.
[SAFE]: It recommends the use of official and verified SDKs (pandadoc-api-client for Python and @pandadoc/node-client for Node.js) for interacting with the service.
[SAFE]: No evidence of malicious command execution, data exfiltration, or obfuscation techniques was found.
[PROMPT_INJECTION]: The skill processes user-supplied data such as recipient emails, document names, and field values that are sent to the PandaDoc API. While this creates an indirect prompt injection surface, it is necessary for the skill's primary function and documented neutrally. Ingestion points: recipient emails, phone numbers, names, document names, and field data in SKILL.md. Boundary markers: Absent. Capability inventory: Creating, sending, and managing documents via PandaDoc API calls in SKILL.md. Sanitization: Absent.

pandadoc