Deep Coding

What to check before using this skill: - Dependencies: The SKILL.md expects you to run a Python server and to run Playwright-based E2E tests (Node + Playwright). The package metadata does not list these binaries. Do not assume they exist — verify and install (in a sandbox) first. - Inspect assets/server.py carefully before running. It serves files from the directory where you run it and likely binds to all network interfaces by default. This can expose project files (including secrets, keys, node_modules, config files) to the network. If you run it, limit binding to localhost (127.0.0.1) and run it in a directory that contains only safe project files. - Path traversal / file exposure: The server constructs file paths from request URLs. Verify its send_file implementation and test whether crafted requests can access files outside the intended directory. Run in an isolated environment until you confirm it's safe. - Execution surface: Reviewers/Builders are instructed to run and serve generated project code. That means arbitrary code execution: only run this on machines/environments where executing untrusted/generated code is acceptable (use containers or VMs). - Platform primitives and privileges: The orchestrator instructions assume platform features (sessions_spawn, agentId:qoder, runtime:acp). Confirm how those operate on your platform and whether they will run code remotely or with network access. - Hardening suggestions: run server.py in a constrained environment (container/VM), change binding to 127.0.0.1, remove any secrets from the project directory, explicitly install Playwright and Node in isolated envs, and test the server's file-serving behavior for path traversal before exposing it to networks. Given these mismatches and the potential for accidental data exposure or untrusted code execution, treat the skill as 'suspicious' until you validate and harden the included server and runtime assumptions.