The Agent Skills Directory

[SAFE]: No malicious patterns, obfuscation, or security vulnerabilities were detected. The skill implements standard business logic for the construction industry and follows its stated purpose.
[COMMAND_EXECUTION]: The Python implementation is focused on mathematical modeling and data structure manipulation using Pandas and NumPy. No arbitrary command execution, subprocess spawning, or shell injection points were found.
[DATA_EXFILTRATION]: The skill does not perform any network operations (no use of curl, wget, or requests). Filesystem access is used legitimately for reading input data and exporting results to Excel, consistent with the permissions defined in the skill manifest.
[PROMPT_INJECTION]: The instructions are well-defined and do not contain any bypass attempts or behavioral overrides. The skill has an indirect prompt injection surface as it processes external files (CSV, Excel, JSON). (1) Ingestion points: User-provided file paths in instructions.md. (2) Boundary markers: Not explicitly defined. (3) Capability inventory: Filesystem write access via ExcelWriter in SKILL.md. (4) Sanitization: Not explicitly implemented. However, the risk is assessed as safe given the mathematical nature of the operations.
[EXTERNAL_DOWNLOADS]: The skill relies on standard, well-known Python packages for data analysis and does not download or execute remote scripts during runtime.

cwicr-escalation