The Agent Skills Directory

[SAFE]: The skill provides instructional content and detection patterns for performing security audits. It does not contain malicious code, data exfiltration, or prompt injection vectors.
[COMMAND_EXECUTION]: The skill documentation includes examples of shell commands (grep, npm audit, pip-audit) used for static analysis and dependency auditing. These are standard security tools used as intended.
[DATA_EXPOSURE_AND_EXFILTRATION]: The skill provides regex patterns for detecting hardcoded secrets (e.g., AWS keys, Stripe tokens) and sensitive files during an audit. It does not contain hardcoded credentials or instructions to exfiltrate data.
[INDIRECT_PROMPT_INJECTION]: The skill is intended to process untrusted codebases for auditing purposes. While this represents a data ingestion surface, the risk is mitigated by the skill's reliance on static grep patterns rather than interpolating untrusted content into sensitive prompt logic.
Ingestion points: Reads code from external projects during audits (SKILL.md).
Boundary markers: Evidence and report templates are provided for structured output.
Capability inventory: Uses standard CLI tools like grep for pattern matching.
Sanitization: Not applicable as the analysis is static and pattern-based.

security-audit-checklist