The Agent Skills Directory

[CREDENTIALS_UNSAFE]: The skill correctly handles the BRIGHTDATA_API_KEY by instructing users to set it as an environment variable (export BRIGHTDATA_API_KEY="..."). It explicitly warns against printing the key or sharing it in the chat interface, which is an excellent security practice.
[COMMAND_EXECUTION]: The skill uses a dynamic context check (!if [ -z "$BRIGHTDATA_API_KEY" ]...) to verify if required credentials are set before execution. This is a benign use of the feature for environment validation.
[DATA_EXFILTRATION]: The Python collection script (brightdata-geo.py) makes network requests to api.brightdata.com. This is the intended behavior for interacting with the Bright Data API to trigger and download dataset snapshots. No unauthorized data exfiltration patterns were detected.
[EXTERNAL_DOWNLOADS]: The skill's React template utilizes standard dependencies from the npm registry (e.g., Vite, React, Tailwind CSS). While an automated scanner flagged a specific esbuild binary URL, this originates from the official registry.npmjs.org domain, which is a well-known and trusted service for package management.
[PROMPT_INJECTION]: The SKILL.md instructions focus on defining a professional workflow for prompt discovery and data analysis. There are no patterns suggesting attempts to bypass AI safety filters or override system constraints.
[INDIRECT_PROMPT_INJECTION]: The React dashboard visualizes data collected from external LLM responses. The application renders this content using standard React text elements (p tags with whitespace-pre-wrap) and does not use dangerous methods like dangerouslySetInnerHTML, effectively mitigating the risk of script injection from untrusted audit results.

geo-audit-report