The Agent Skills Directory

[COMMAND_EXECUTION]: The skill executes a series of system commands to create directories, initialize projects, and configure services.
Evidence: Commands include mkdir -p {{PROJECTS_DIR}}, laravel new {{PROJECT_NAME}}, composer require filament/filament, php artisan filament:install, herd link, and git commit.
[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection (command injection) because user-provided strings are directly interpolated into shell commands.
Ingestion points: PROJECT_NAME and PROJECTS_DIR are captured from user input.
Boundary markers: No delimiters or explicit escaping mechanisms are used when interpolating these variables into shell commands.
Capability inventory: The skill has the ability to run arbitrary shell commands via the agent's terminal tool, including directory creation and package management.
Sanitization: The skill contains natural language instructions for the agent to validate the project name (lowercase, no spaces), but lacks technical enforcement or escaping to prevent execution of metacharacters (e.g., ;, &, |) if the agent fails to validate the input properly.
[EXTERNAL_DOWNLOADS]: The skill instructs the user to download and install Laravel Herd from a remote URL.
Evidence: herd.laravel.com/download and herd.laravel.com.
Context: These are well-known, official sources for the Laravel ecosystem and are considered safe.

setup-wizard