The Agent Skills Directory

[SAFE]: The skill is a legitimate security tool intended for auditing and compliance purposes. It follows security best practices by providing local scanning scripts rather than executing remote code.
[DATA_EXPOSURE]: The skill includes scripts (secrets-scanner.sh and security-audit-checklist.py) that read project files to identify potential data exposure risks, such as hardcoded API keys and Israeli national ID numbers. This data is processed locally and no evidence of exfiltration was found.
[OBFUSCATION]: The skill documentation (references/owasp-hebrew-checklist.md) and Hebrew instructions (SKILL_HE.md) contain homoglyphs and bidirectional (BiDi) control characters. These are included for educational purposes to demonstrate specific attack vectors (e.g., IDN homograph and Trojan Source attacks) or for detection within the audit scripts.
[PROMPT_INJECTION]: The skill processes untrusted project data during auditing. While this creates a surface for indirect prompt injection if malicious instructions were embedded in scanned files, the provided scripts perform static pattern matching and do not execute content from the scanned data.
[COMMAND_EXECUTION]: The skill instructions recommend the use of standard, well-known security tools (e.g., pnpm audit, trivy, snyk, trufflehog, gitleaks). These tools are executed by the user to perform local analysis.

israeli-appsec-scanner