The Agent Skills Directory

[SAFE]: The skill performs legitimate security analysis by scanning repository metadata (e.g., package.json, requirements.txt) and mapping architecture components. This behavior is consistent with its stated purpose of threat model generation and aligns with typical vendor-supported security workflows.
[SAFE]: File system operations are restricted to reading the repository for analysis and writing output files within a project-local directory (.factory/). No evidence of unauthorized sensitive file access (e.g., SSH keys, AWS credentials) or exfiltration was found.
[PROMPT_INJECTION]: The skill possesses a surface for indirect prompt injection as it ingests untrusted data from the repository being analyzed. A malicious repository could contain crafted content designed to manipulate the resulting threat model or security configuration. However, because the skill does not execute the processed data or perform network operations, the impact is minimal.
Ingestion points: Codebase files (Step 1), user-provided input, and existing threat model files.
Boundary markers: The instructions do not specify explicit delimiters or "ignore embedded instructions" warnings for the ingested repository content.
Capability inventory: Local filesystem write access for documentation and configuration generation.
Sanitization: No explicit sanitization or validation of the ingested repository content is defined in the instructions.

threat-model-generation