- Create small, versionable skills that are easy to review.
- Audit `SKILL.md`, auxiliary scripts, and permissions before installing.
- Avoid skills that mix knowledge, execution, and secrets.
--- name: deploy-preview description: Crea un deploy preview y resume el resultado. allowed-tools: Bash(npm run build), Bash(vercel deploy --yes), Bash(git status *) disable-model-invocation: true --- 1. Comprueba estado de git. 2. Ejecuta build. 3. Crea deploy preview. 4. Devuelve URL, commit y errores si los hay. 5. No hagas deploy a produccion.
Audit checklist
- Read the entire `SKILL.md`, not just the description.
- Look for `curl`, `wget`, `nc`, `ssh`, `gh auth token`, `.env`, and external domains.
- Review `allowed-tools`: avoid `Bash(*)` unless it is local and trusted.
- Check scripts included in the skill folder.
- Test first in a clean project, without real credentials.