The Agent Skills Directory

[COMMAND_EXECUTION] (LOW): The script scripts/scaffold.sh accepts project names as arguments and interpolates them into shell commands without sanitization. While double-quoted, this remains an attack surface for indirect prompt injection if the agent is prompted with a malicious project name containing shell metacharacters.- [EXTERNAL_DOWNLOADS] (SAFE): The skill performs downloads from the npm registry, which is a trusted source for developer dependencies. Use of npx and npm install is consistent with the skill's stated purpose of project scaffolding.- [DATA_EXFILTRATION] (SAFE): No sensitive data exfiltration or hardcoded credentials detected. Environment variable templates use local placeholders (e.g., localhost).

new-project-scaffolding