The Agent Skills Directory

[COMMAND_EXECUTION]: The skill uses the Bash tool to execute semgrep commands for rule testing (--test), AST analysis (--dump-ast), and validation (--validate). These operations are consistent with the skill's stated purpose of developing and verifying static analysis rules.
[EXTERNAL_DOWNLOADS]: The skill instructs the agent to fetch documentation from the official Semgrep documentation repository and the Trail of Bits testing handbook on GitHub. These are well-known, trusted sources, and the references are used purely for informational purposes to guide rule creation.
[PROMPT_INJECTION]: The instructions do not contain any patterns typical of prompt injection, such as attempts to override system behavior, reveal internal prompts, or bypass safety guidelines.
[DATA_EXFILTRATION]: There are no patterns indicating the collection or transmission of sensitive data. The network access is scoped to fetching documentation from public, trusted repositories.
[REMOTE_CODE_EXECUTION]: Static analysis flagged the word eval in SKILL.md. However, contextual review confirms these occurrences are part of educational examples (e.g., showing how to write a Semgrep rule to detect insecure use of eval in Python) and do not represent executable code within the skill's runtime logic.

semgrep-rule-creator