The Agent Skills Directory

[EXTERNAL_DOWNLOADS]: The detection script scripts/detect_gpc.mjs executes npx gpc, which can trigger a download and execution of the gpc package from the npm registry if the tool is not already installed locally.
[COMMAND_EXECUTION]: The skill relies on shell command execution for its primary functions. Inputs provided by users or extracted from files (such as product IDs, tokens, and base64-encoded payloads) are interpolated into CLI commands, which may lead to command injection if the agent does not properly sanitize these inputs.
[PROMPT_INJECTION]: The skill ingests untrusted external data that enters the agent's execution context, creating an indirect prompt injection surface.
Ingestion points: JSON configuration files for subscriptions and in-app products (--file and --dir arguments) and base64-encoded notification payloads (gpc rtdn decode).
Boundary markers: No specific delimiters or safety instructions are provided to the agent to distinguish between data and potentially embedded instructions within these inputs.
Capability inventory: The skill allows for the creation, modification, and deletion of monetization assets on the Google Play Console, as well as the retrieval of financial order and purchase information.
Sanitization: The skill does not implement validation or sanitization for the content of JSON files or the results of payload decoding before the agent processes them.

gpc-monetization