The Agent Skills Directory

[SAFE]: The skill package is composed entirely of markdown instructions, rule definitions, and reference principles. There are no executable scripts, binaries, or automated deployment tasks that could impact the security of the host environment.
[NO_CODE]: No implementation code (Python, JavaScript, etc.) is included. The skill relies on the AI agent's ability to interpret and apply the provided natural language rules to the user's codebase.
[COMMAND_EXECUTION]: The skill mentions using standard development tools like git diff and git show to compare API contracts for stability audits. These are common, read-only development operations and do not represent a risk of arbitrary command execution.
[DATA_EXFILTRATION]: There are no instructions for establishing network connections or transmitting data to external domains. The audit process is entirely local to the project being reviewed.
[INDIRECT_PROMPT_INJECTION]: The skill identifies a workflow for reading and analyzing external code files. Ingestion points: project files such as index.ts, package.json, and CLI entry points. Boundary markers: not specified. Capability inventory: limited to reading files and generating a text-based report. Sanitization: not specified. While this surface exists, it is inherent to the auditing task and does not provide mechanisms for untrusted code to bypass agent constraints.

dx-audit