The Agent Skills Directory

COMMAND_EXECUTION (SAFE): The skill contains several bash scripts (detect_state.sh, analyze_structure.sh, estimate_tokens.sh) that use standard Linux utilities like find, grep, cat, and wc to analyze the local directory structure and file sizes. All commands are used for their intended purpose of codebase analysis and do not perform network operations or privilege escalation.
DATA_EXPOSURE (SAFE): While estimate_tokens.sh reads the contents of source files to estimate token counts, the data is processed locally through pipes to wc and is never logged, displayed, or transmitted externally.
INDIRECT_PROMPT_INJECTION (SAFE): The skill is designed to analyze untrusted codebases. While this technically presents an ingestion surface, the scripts only output aggregated metadata (file lists, counts), which poses negligible risk of instructions from the codebase influencing the agent's behavior during the analysis phase.
UNVERIFIABLE_DEPENDENCIES (SAFE): The README mentions installation via npx skills, which is a standard deployment mechanism for this type of extension and is not an internal runtime download of untrusted code.

intent-layer