The Agent Skills Directory

[COMMAND_EXECUTION]: The scripts verify.sh and time-to-first-commit.sh use the eval shell command to execute bootstrap and test instructions discovered in the analyzed repository's configuration files (such as package.json scripts, Justfile targets, or Makefile commands).
[REMOTE_CODE_EXECUTION]: The skill's verification workflow involves executing the setup and test suites directly from the repository being audited within a temporary git worktree. This allows any malicious code present in the audited repository's setup scripts to execute with the user's permissions.
[EXTERNAL_DOWNLOADS]: Generated templates for bootstrap.sh and other harness scripts include instructions to invoke package managers (npm, pip, cargo, go) which download and install code from external public registries based on the project's detected dependencies.
[DATA_EXFILTRATION]: The auditing process reads git commit logs and repository metadata to identify friction patterns. This information is persisted to a local log file (audits.log), which could expose sensitive development history or project metadata if the local machine is compromised.

dx-harness