The Agent Skills Directory

[SAFE]: The skill functions as a static analysis tool intended to identify cryptographic flaws in PHP code, such as weak hashing algorithms (MD5/SHA1), insecure encryption modes (ECB), and hardcoded keys. This is a legitimate security auditing use case.
[SAFE]: No network activity, external downloads, or remote code execution patterns were identified. The skill references a local file for severity ratings and writes its output to a local directory.
[SAFE]: No obfuscation or persistence mechanisms were found in the instructions.
[PROMPT_INJECTION]: Indirect Prompt Injection Surface: The skill is designed to ingest and process untrusted external data (PHP source code). This creates a potential vector where malicious instructions embedded in the code being audited could influence the agent's behavior during the audit process.
Ingestion points: PHP source code files from external projects (SKILL.md).
Boundary markers: Absent; there are no instructions to use specific delimiters or warnings to ignore embedded instructions in the source files.
Capability inventory: The skill utilizes file system read access for analysis and file system write access to save reports in {output_path}/vuln_audit/. No subprocess execution or network capabilities are present.
Sanitization: Absent; the instructions do not specify any validation or filtering of the source code content before processing.

php-crypto-audit