The Agent Skills Directory

[SAFE]: The skill's instructions, scripts, and reference files do not contain any malicious patterns, obfuscation, or persistence mechanisms.
[COMMAND_EXECUTION]: The skill executes local Python scripts (api-spec-validator.py, api-endpoint-matrix.py, compat-checker.py) as part of its core functionality for API analysis. These scripts are run using the 'uv' package runner and rely on standard libraries for processing specifications.
[PROMPT_INJECTION]: The skill presents a surface for indirect prompt injection because it reads and processes external codebase files and OpenAPI documents.
Ingestion points: Files ingested in spec, review, compat, and sdk modes, as well as the scanning of codebases in Spec mode.
Boundary markers: The interpolation steps do not include specific instructions to ignore embedded commands, though the agent is directed to parse and analyze the data rather than execute it.
Capability inventory: Local file system read access, output generation (specs and code scaffolds), and execution of local analysis scripts.
Sanitization: Employs json.dump for generating structured data and implements HTML entity escaping (escH) in the visualization dashboard to prevent cross-site scripting (XSS).

api-designer