The Agent Skills Directory

[SAFE]: The skill performs expected developer workflow automation including code scanning and repository management. No malicious patterns, obfuscation, or unauthorized data exfiltration were detected.
[COMMAND_EXECUTION]: The skill correctly uses list-based subprocess calls to execute standard utilities such as git, gh, and warden. These commands are scoped to the repository's needs (e.g., enumeration, diffing, and issue creation).
[INDIRECT_PROMPT_INJECTION]: The skill possesses a vulnerability surface for indirect prompt injection as it ingests and processes all files in a repository to generate findings. These findings are then interpolated into subagent prompts for verification and patching.
Ingestion points: All repository files are scanned by warden in scripts/scan.py.
Boundary markers: Absent; the subagent prompts in references/verify-prompt.md and references/patch-prompt.md do not explicitly instruct the model to ignore instructions embedded within the codebase being analyzed.
Capability inventory: Subagents have the ability to read and write files and interact with Git via the patch-prompt.md instructions.
Sanitization: Findings are extracted as structured JSON but descriptions and titles are interpolated directly into prompts without specialized filtering for instructions. However, this risk is inherent to the skill's primary function of code analysis and is considered a managed risk in a development environment.

warden-sweep