The Agent Skills Directory

[COMMAND_EXECUTION]: The skill instructions and detection script (scripts/detect_gpc.mjs) involve executing the gpc CLI to perform store listing management. These commands are standard for the tool's intended purpose and do not show signs of malicious intent or unsafe input handling.
[EXTERNAL_DOWNLOADS]: The skill references the @gpc-cli/cli package on NPM as a dependency for managing Play Store metadata. This is a legitimate tool required for the skill's functionality.
[DATA_EXPOSURE]: The skill documentation describes how the gpc tool uses environment variables (e.g., GPC_SERVICE_ACCOUNT, ANTHROPIC_API_KEY) for authentication and optional AI features. These are standard configuration practices for CLI tools and are not hardcoded or exfiltrated by the skill itself.
[INDIRECT_PROMPT_INJECTION]: The skill processes metadata files (e.g., title.txt, full_description.txt) from the local filesystem to sync with the Google Play Console. This represents an ingestion surface for external data, but the skill uses structured workflows and validation (linting) which reduces the risk of unintended behavior. Severity is low as per standard assessment.

gpc-metadata-sync