The Agent Skills Directory

[COMMAND_EXECUTION]: The skill makes extensive use of the Bash tool to execute system-level commands for project analysis, including madge, go mod, and custom file system searches.- [EXTERNAL_DOWNLOADS]: The documentation recommends the installation of various external utilities from unverified third-party GitHub repositories, such as godepgraph, go-callvis, and gomarkdoc, as well as global npm packages like jsdoc-to-markdown.- [REMOTE_CODE_EXECUTION]: The skill's workflow involves executing scripts located within the project repository (e.g., 'go run scripts/analyze/main.go' and 'npx tsx scripts/codemaps/generate.ts'). If the repository being documented is untrusted or contains malicious content, these scripts could perform unauthorized actions.- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection (Category 8) because it ingest untrusted data from the codebase to generate documentation without adequate security boundaries.
Ingestion points: The agent reads the entire source tree (src/ directory) using the Read and Glob tools to extract architectural details.
Boundary markers: There are no instructions for the agent to distinguish between code and potential instructions embedded in comments.
Capability inventory: The agent has access to powerful tools including Bash, Write, and Edit.
Sanitization: The skill does not implement any validation or sanitization of the content extracted from the source files before processing it.

doc-updater