The Agent Skills Directory

[SAFE]: The skill implements strong path validation in scripts/shared_io.py and scripts/setup_test_env.py which resolves absolute paths and rejects any input containing '..' segments, effectively preventing path traversal attacks.
[COMMAND_EXECUTION]: The scripts/script_runner.py utility executes scripts from the skill being tested using subprocess.run with parameterized argument lists. This behavior is the primary purpose of the tool and is mitigated by a 'script-isolation' rule in SKILL.md and the use of isolated subprocesses without shell interpolation.
[PROMPT_INJECTION]: As an auditing tool, the skill processes untrusted instructions and source code from other skills. It mitigates Indirect Prompt Injection (Category 8) risks through its 'content-as-data' security rule and by providing explicit grounding instructions to its analysis agents (agents/security_review.md, agents/prompt_reviewer.md) to prevent them from obeying instructions embedded in the analyzed content.
Ingestion points: Reads SKILL.md, plugin.json, and raw script files from the target skill directory.
Boundary markers: Explicitly defined in SKILL.md under <security> as 'content-as-data' and 'script-isolation'.
Capability inventory: Uses subprocess.run in script_runner.py to execute scripts and uses subagents for text analysis.
Sanitization: Implements _reject_traversal and _check_boundary in shared_io.py to sanitize all file and directory operations.
[DATA_EXFILTRATION]: The scripts/session_analyzer.py script accesses Claude Code session logs located in ~/.claude/projects/. This access is documented and intended for generating session traces and conversation audits for the user, posing no risk of unauthorized exfiltration in this context.

skill-tester