The Agent Skills Directory

[COMMAND_EXECUTION]: The security scanners and setup scripts use subprocess calls to interact with system tools such as bandit, npm audit, and pip-audit. These calls are implemented using list-based arguments rather than string-based shell execution, which effectively mitigates the risk of command injection.
[EXTERNAL_DOWNLOADS]: The environment setup script and dependency auditor download and install well-known security libraries from official package registries like PyPI and npm. These operations are standard for the skill's purpose and originate from trusted service providers.
[DATA_EXFILTRATION]: While the skill probes for sensitive information such as exposed .env files or hardcoded secrets, it does so as part of a local security audit. There is no evidence of data being transmitted to unauthorized external domains; results are presented to the user or saved to user-specified local files.
[PROMPT_INJECTION]: The skill includes explicit instructions for the agent to verify user authorization before performing any scan, serving as a procedural safeguard. Although the tool processes untrusted data from websites and codebases, it does so within the context of a security audit where the output is treated as data to be reported.

performing-penetration-testing