The Agent Skills Directory

[COMMAND_EXECUTION]: The skill uses the Bash tool to perform security audits using standard package manager commands such as npm audit, yarn audit, and pnpm audit. These are used to identify known vulnerabilities in dependencies.
[EXTERNAL_DOWNLOADS]: The skill recommends using several well-known third-party security tools, including lockfile-lint, npq, and @cyclonedx/cyclonedx-npm, which are typically installed or executed via npx during the audit process.
[INDIRECT_PROMPT_INJECTION]: The skill audits untrusted project files (e.g., package.json, lockfiles, CI configurations). While these files could theoretically contain malicious instructions aimed at the agent, the skill provides specific rules and logic to parse these files for security best practices rather than executing content from within them.
Ingestion points: Audits project configuration files including package.json, package-lock.json, yarn.lock, pnpm-lock.yaml, and GitHub Actions workflows.
Boundary markers: Not explicitly defined for all file reads, though the skill focuses on structured data parsing (JSON/YAML).
Capability inventory: Access to Read, Glob, Grep, and Bash tools for project analysis.
Sanitization: The skill focuses on identifying specific security patterns (e.g., version pinning, audit gates) rather than executing arbitrary strings from the analyzed project.

js-security-audit