The Agent Skills Directory

[SAFE]: The skill is entirely informational, consisting of markdown files that provide guidance, checklists, and methodology for security audits. It contains no executable code, installation scripts, or automated tools.\n- [CREDENTIALS_UNSAFE]: A mock Stripe-style API key (sk_live_a3f7c9b2d8e1f4g6h9) is present in references/cryptographic-failures.md. This is explicitly used within a code block labeled as VULNERABLE to demonstrate insecure hardcoding practices for educational purposes and does not represent a functional credential.\n- [DATA_EXFILTRATION]: Evaluation of Indirect Prompt Injection surface: 1. Ingestion points: The skill is designed to guide the review of user-provided code (SKILL.md). 2. Boundary markers: Absent. 3. Capability inventory: No tools or network permissions are requested or utilized. 4. Sanitization: Absent. The risk is negligible as the skill lacks any means to execute code or exfiltrate data.

owasp-top-10