The Agent Skills Directory

[INDIRECT_PROMPT_INJECTION]: The skill processes project manifest files and security audit outputs, which established a surface for indirect prompt injection. This risk is inherent to tools summarizing third-party metadata. Ingestion points include project configuration files (package.json, requirements.txt, go.mod, Cargo.toml) and vulnerability logs parsed in scripts/analyze_deps.py. The skill lacks explicit boundary markers, but it mitigates risk by parsing inputs as structured JSON and truncating description strings. Capability inventory includes subprocess execution and file writing as described in its primary functions.
[UNVERIFIABLE_DEPENDENCIES_AND_REMOTE_CODE_EXECUTION]: The skill's instructions and script facilitate the retrieval of vulnerability data from official package registries. Evidence indicates that the skill targets well-known and trusted services such as npmjs.com and pypi.org, which is considered standard and safe behavior for auditing software.
[DYNAMIC_EXECUTION]: The provided script scripts/analyze_deps.py executes external CLI tools via the subprocess module to gather security metrics. This is implemented safely by passing command arguments as lists and including error handling for the execution process.

dependency-management