The Agent Skills Directory

[CREDENTIALS_UNSAFE]: The audit guidelines in references/audit/devops.md and references/audit/tech-stack.md explicitly instruct the agent to read .env files to identify environment variables. This is a significant risk as .env files commonly contain sensitive plaintext secrets, production credentials, and API keys.
[COMMAND_EXECUTION]: The skill relies heavily on shell command execution for its core functionality. This includes using the gitnexus CLI tool for graph-based analysis and running complex shell scripts for documentation structure and link integrity validation, as documented in references/validation/structure-check.md.
[EXTERNAL_DOWNLOADS]: The workflow involves executing npx gitnexus, which fetches and runs the gitnexus package from the NPM registry. This introduces a dependency on an external, third-party package at runtime.
[INDIRECT_PROMPT_INJECTION]: Because the skill processes entire codebases through automated subagents, it is vulnerable to indirect prompt injection. Malicious instructions embedded in the codebase's documentation or source code could potentially manipulate the subagents' audit reports or the final generated documentation.

documenting-codebase