The Agent Skills Directory

[SAFE]: The skill consists entirely of instructional Markdown content and reference guides for code auditing. It does not contain any executable scripts, remote downloads, or hidden shell commands.\n- [INDIRECT_PROMPT_INJECTION]: The skill is designed to ingest and analyze untrusted PHP source code (Ingestion Point: PHP project files identified in Phase 1). This creates an inherent surface for indirect prompt injection where malicious code could attempt to influence the agent. However, the methodology explicitly mitigates this through its 'Evidence Contract System' (Boundary Marker: evidence-contract.md), which mandates that any finding must be proven through a complete Source-to-Sink path (Capability: data flow analysis), requiring the agent to verify actual execution logic rather than relying on textual claims (Sanitization: verification of path reachability and filtering).

php-audit-pipeline