guidelines

The skill is classified as suspicious due to a severe Cross-Site Scripting (XSS) vulnerability in the `scripts/generate-html.py` script. This script directly inserts user-controlled input (derived from natural language descriptions) into HTML templates using simple string replacement without proper sanitization. This allows an attacker to inject arbitrary HTML or JavaScript into the generated preview pages, which `SKILL.md` states will be opened in an IDE preview window. While there is no clear evidence of intentional malicious behavior, this vulnerability poses a significant risk for code execution within the IDE's preview context.