The Agent Skills Directory

[REMOTE_CODE_EXECUTION]: The skill instructs the agent to offer an installation method that downloads a shell script from a remote GitHub repository (https://raw.githubusercontent.com/yasserstudio/gpc/main/scripts/install.sh) and pipes it directly into the bash interpreter. This practice is inherently risky as it bypasses local security controls and integrity verification.- [COMMAND_EXECUTION]: The detection utility scripts/detect_gpc.mjs utilizes execSync to run several shell commands, including gpc --version and gpc auth status, to gather information about the local environment. This execution of external binaries based on local state is a form of dynamic execution.- [CREDENTIALS_UNSAFE]: The skill manages highly sensitive Google Play Console service account JSON keys and OAuth tokens. It encourages the storage of these credentials in environment variables and local configuration files, which increases the potential impact of an environment compromise.- [PROMPT_INJECTION]: The skill parses output from external CLI commands without adequate sanitization or the use of boundary markers, creating a surface for indirect prompt injection if the tool's output is manipulated.
Ingestion points: The script scripts/detect_gpc.mjs ingests and parses JSON data from the gpc auth status and gpc config commands.
Boundary markers: No specific delimiters or markers are used to isolate untrusted tool output from the agent's internal logic.
Capability inventory: The skill possesses the ability to execute shell commands, read configuration files, and manage environment variables.
Sanitization: There is no evidence of sanitization or schema validation performed on the output retrieved from the CLI tools.

gpc-setup