The Agent Skills Directory

[COMMAND_EXECUTION]: The orchestration script scripts/agent.py executes security tools like semgrep, trivy, and gitleaks. It uses subprocess.run() with a list of arguments, which is a secure implementation that prevents shell injection vulnerabilities by avoiding the use of shell=True.
[EXTERNAL_DOWNLOADS]: The documentation in SKILL.md refers to official and well-known GitHub Actions provided by organizations such as Aqua Security, ZAP, and Gitleaks. These are standard, reputable resources used for automated security testing.
[DATA_EXFILTRATION]: While the skill reads and processes local source code and configuration files, this is the primary and stated purpose of a security scanner. There are no patterns suggesting unauthorized data collection or network exfiltration to unknown or untrusted domains.
[PROMPT_INJECTION]: The instructions and workflow examples are purely technical and do not contain any patterns intended to manipulate agent behavior, override safety filters, or extract system prompts.

implementing-devsecops-security-scanning