The Agent Skills Directory

[COMMAND_EXECUTION]: The skill uses the bash() tool to perform analysis through various commands including git log, wc, npm audit, bun test, and sg (ast-grep). These are used to measure repository metrics and identify code patterns associated with technical debt.
[EXTERNAL_DOWNLOADS]: The skill executes npm audit, which connects to the official NPM registry to check for known security vulnerabilities in the project's dependency tree. This is a well-known service and the operation is appropriate for a security-conscious audit.
[COMMAND_EXECUTION]: The skill utilizes the task() tool to spawn sub-agents for parallelizing the audit process across different code dimensions, enhancing performance on large repositories.
[DATA_EXFILTRATION]: As part of its security hygiene audit, the skill uses grep patterns to identify potential hardcoded secrets such as API keys, secrets, and passwords. These findings are recorded in a local TECH_DEBT_AUDIT.md file rather than being sent to an external service.
[PROMPT_INJECTION]: The skill possesses an indirect prompt injection surface. 1. Ingestion points: Entire codebase via glob and read. 2. Boundary markers: Absent. 3. Capability inventory: Command execution via bash and task delegation via task. 4. Sanitization: Absent. The skill summarizes untrusted code content into its audit report, which could potentially be influenced by malicious comments or code designed to mislead the analysis.
[SAFE]: No signs of obfuscation, persistence mechanisms, or unauthorized privilege escalation were detected. The skill's behavior is consistent with its stated purpose of codebase auditing.

tech-debt-audit