The Agent Skills Directory

[Unverifiable Dependencies] (MEDIUM): The skill instructs the user to install @zhin.js/mcp. This package and its scope (@zhin.js) are not part of the defined trusted sources list, posing a supply chain risk if the package is compromised or malicious.
[Indirect Prompt Injection] (HIGH): The skill exposes several tools (create_plugin, create_command, create_adapter, create_model) that write source code to the local disk.
Ingestion points: Parameters like name, description, features, and pattern in the scaffolding tools are derived from the AI's context.
Boundary markers: There are no explicit instructions or delimiters provided to the agent to ignore instructions embedded in the data being used to generate these files.
Capability inventory: The tools have the explicit capability to write .js or .ts files to the src/plugins directory or other user-specified paths.
Sanitization: No sanitization or validation logic is defined to prevent the generation of malicious code snippets if the agent is influenced by an adversarial prompt (e.g., from a website the agent is summarizing).
[Command Execution] (LOW): The Claude Desktop configuration suggests using curl to connect to a local port. While standard for this framework, it relies on a local server being active and accessible, which could be targeted by other local processes.

zhin-mcp-server