The Agent Skills Directory

[COMMAND_EXECUTION]: The Prepare.bat script uses reg query to read the Steam installation path from the Windows Registry (HKEY_CURRENT_USER\Software\Valve\Steam). This is a targeted operation used to locate the game's assets.\n- [COMMAND_EXECUTION]: Setup procedures utilize mklink /J to create directory junctions, linking local and workshop script folders into the skill's environment.\n- [EXTERNAL_DOWNLOADS]: The skill fetches the uv tool installer from astral.sh and the busybox.exe utility from frippery.org. Both are established and well-known sources for these developer tools.\n- [REMOTE_CODE_EXECUTION]: During initial setup, the skill executes a remote PowerShell script from astral.sh to install the uv package manager. While this is a common installation pattern for this vendor, it involves executing code directly from the internet.\n- [PROMPT_INJECTION]: The skill possesses an indirect prompt injection surface as it ingests and processes C# source code from the Steam Workshop (SteamScripts/). An attacker could embed malicious instructions in workshop content to influence agent behavior when these scripts are indexed or searched. \n
Ingestion points: index_scripts.py reads content from SteamScripts/ (Workshop content) and LocalScripts/.\n
Boundary markers: There are no specific boundary markers or instructions to ignore embedded prompts when the agent reads script contents.\n
Capability inventory: The skill has capabilities to run subprocesses via uv run and access the local filesystem.\n
Sanitization: No sanitization is applied to the ingested script source before it is processed or displayed in search results.

se-dev-script