The Agent Skills Directory

[EXTERNAL_DOWNLOADS]: The skill fetches .gitignore templates from Toptal's API (a well-known service) to ensure repository hygiene.
Evidence: curl -sL https://www.toptal.com/developers/gitignore/api/macos,linux,node,python > .gitignore in SKILL.md.
[SAFE]: The skill implements active protection against accidental secret exposure by identifying sensitive files (e.g., .env, *.pem, *_rsa) and excluding them from the staging process.
[SAFE]: The skill enforces the execution of pre-commit hooks by explicitly avoiding the --no-verify flag during the git commit operation, ensuring local security scans are not bypassed.
[SAFE]: Shell operations involving AI-generated content (like commit messages) are handled using heredocs (cat <<'EOF') to prevent command injection from the generated text.
[PROMPT_INJECTION]: The skill has an indirect prompt injection surface because it processes untrusted data (git diffs) to generate commit messages and performs downstream actions (git push).
Ingestion points: git diff --cached in SKILL.md.
Boundary markers: Absent.
Capability inventory: git commit, git push, and gh pr create in SKILL.md.
Sanitization: Absent.
[COMMAND_EXECUTION]: The skill executes several local maintenance scripts (e.g., adr-check.sh, design-check.sh, rebuild-index.sh) located within the repository's .agents/bin/ directory.

swain-sync