The Agent Skills Directory

[EXTERNAL_DOWNLOADS]: The skill requires the installation of the @magic5644/graph-it-live package from the NPM registry. This package is owned by the skill's author and serves as the primary analysis engine.
[COMMAND_EXECUTION]: The skill orchestrates multiple shell commands, including graph-it scan, graph-it tool find_unused_symbols, and graph-it tool get_symbol_callers. It also instructs the agent to generate and potentially execute file deletion commands like rm as part of a cleanup plan.
[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it ingests and processes data from local source code files to generate its output.
Ingestion points: Data enters the agent context through the output of various graph-it CLI tools that scan the project's source files (referenced in SKILL.md steps 2 through 5).
Boundary markers: There are no explicit boundary markers or instructions to treat tool output as untrusted data to prevent the agent from being influenced by malicious content embedded within the source files being analyzed.
Capability inventory: The skill possesses the capability to execute shell commands and specifically suggests file deletions (rm) based on the analysis results (SKILL.md step 6 and Output Format section).
Sanitization: No sanitization or validation steps are described for the data parsed from the analysis tool output before it is used to formulate the deletion plan.

dead-code-hunter