AgentFlow

Focus: Who published it and whether it is traceable

Next action: Review repository, author, and README first; do not install directly when source is pending.

Focus: Whether install steps can be reviewed

Next action: Prefer candidates with install docs and repository evidence.

Focus: Whether tool descriptions may hide instructions

Next action: Read README, rules, and tool descriptions before install.

Focus: What it can access

Next action: Grant only task-required permissions and prefer Ask/manual confirmation.

Focus: Whether it runs commands or scripts

Next action: Manually confirm command-running skills in an isolated directory.

Focus: Whether file reads/writes can escape scope

Next action: Check working directory and file access scope before running.

Focus: Whether it may send data out

Next action: If unsure, restrict network access or allow only known domains.

Focus: Whether it handles tokens, private keys, or agent identity

Next action: Do not provide long-lived tokens or private keys to source-pending skills.

Focus: Whether external content can steer behavior

Next action: For browser/RAG/rules skills, review permissions and confirmation controls first.

Focus: Whether memory or retrieved context can be poisoned

Next action: Try RAG/memory skills in a low-privilege environment first.

Focus: Whether external tools and MCP access are clearly bounded

Next action: Confirm which external tools it will connect to before install, and start with the smallest possible set.

Focus: Whether destructive or external actions require confirmation

Next action: Avoid directly installing high-risk skills without confirmation controls.

Focus: How far impact can spread when something goes wrong

Next action: If unsure, test in an isolated project first.

Focus: Whether actions can be traced

Next action: Prefer candidates with logs or previews.

Focus: Whether it is maintained and reusable

Next action: Check license and maintenance before organizational use.