The Agent Skills Directory

[COMMAND_EXECUTION]: The script static_analyzer.py executes local static analysis binaries like cppcheck, clang-tidy, and gcc to perform its core functions.
Evidence: The functions run_cppcheck, run_clang_tidy, and run_gcc_analyzer construct command lists and pass them to subprocess.run.
Context: Execution is performed using argument lists without shell=True, which prevents shell command injection from user-provided source paths or arguments.
[PROMPT_INJECTION]: The skill has an attack surface for indirect prompt injection (Category 8) due to its data ingestion patterns.
Ingestion points: scripts/static_analyzer.py reads content from source files and the standard output/error (including XML) of analysis tools.
Boundary markers: There are no explicit markers or instructions to the agent to ignore potentially malicious content within the tool output.
Capability inventory: The agent has the ability to execute CLI commands and interact with the file system via this skill.
Sanitization: The skill does not sanitize error messages, warnings, or rule IDs before outputting them to the agent's context.
[EXTERNAL_DOWNLOADS]: The skill relies on an external dependency not contained within its own files.
Evidence: from tool_config import get_tool_path in scripts/static_analyzer.py attempts to import from a shared directory located outside the skill's root, which is a common pattern for environment-specific utilities.

static-analysis