The Agent Skills Directory

Data Exposure & Exfiltration (SAFE): The skill utilizes environment variables (process.env.UMBRACO_USER_PASSWORD) for testing credentials within Playwright E2E tests. This is standard development practice. No hardcoded secrets or credentials were found in the source code or example files.
Remote Code Execution (SAFE): Development scripts such as generate-openapi.js perform network requests to fetch Swagger/OpenAPI specifications for code generation purposes. These are build-time tools for developers and do not facilitate runtime execution of untrusted remote code.
Obfuscation (SAFE): Code is well-documented and transparent. Standard base64 encoding is utilized only for Basic Authentication headers in auto-generated API client files, which is a routine and non-malicious usage.
Best Practice Note (INFO): Several development scripts (generate-openapi.js) set NODE_TLS_REJECT_UNAUTHORIZED = '0'. While this is common in local CMS development to handle self-signed certificates, it is a security trade-off that disables SSL validation for that specific process. It is categorized as a low-risk best-practice violation limited to development utilities.
Indirect Prompt Injection (SAFE): While the skill provides UI components that accept user input (e.g., textareas for notes), these are template examples for building extensions. The underlying framework (Lit) provides automatic escaping for interpolated values, and the skill does not implement any logic that would bypass standard agent security boundaries.

umbraco-backoffice