The Agent Skills Directory

[SAFE]: The skill's core function is to act as a security vetting tool for other agent capabilities. It implements a structured 6-step protocol to identify risks like typosquatting, over-privilege, and dependency issues.
[PROMPT_INJECTION]: The skill contains a wide array of prompt injection keywords (e.g., 'Ignore previous instructions', 'DAN', 'Admin mode activated'). These are presented as reference data for the agent to use when scanning other skills, rather than as instructions to be executed by the agent itself. The skill includes instructions to normalize text (e.g., decoding Base64 and removing zero-width characters) before analysis, which is a defensive best practice. As an auditor, the skill possesses an indirect prompt injection surface as it ingests untrusted files.
Ingestion points: User-provided skill files or text pastes provided for auditing (SKILL.md).
Boundary markers: None defined; the agent is instructed to scan the content directly.
Capability inventory: file-read permission for auditing local files.
Sanitization: Explicit instructions are provided to 'normalize text' by decoding Base64, expanding Unicode, and removing zero-width characters before analysis.
[DATA_EXFILTRATION]: While the skill requests 'file-read' permissions to analyze local skill configuration files, it explicitly does not request network permissions ('network: false'), preventing any exfiltration of the data it reads.
[COMMAND_EXECUTION]: The documentation references dangerous commands and paths (e.g., 'curl', 'bash -i', '~/.ssh') exclusively as markers for the agent to look for when identifying high-risk behavior in audited subjects.
[METADATA_POISONING]: The skill metadata includes a 'trust-score' of 97 and a 'last-audited' date. These are self-reported indicators of reliability and should be viewed as descriptive data rather than authoritative safety certifications.

skill-auditor