The Agent Skills Directory

[SAFE]: The skill implements the security auditing features described in its documentation, including secret detection, dependency auditing, and OWASP-focused static analysis. It operates entirely on the local filesystem and generates structured JSON reports.
[DYNAMIC_EXECUTION]: The script scripts/detect-secrets.sh utilizes the eval command to construct and run find operations with multiple exclusion patterns. While eval is often a risk, here it is used to manage complex shell arguments for the purpose of scanning the project directory.
[PROMPT_INJECTION]: The skill has an indirect prompt injection surface as it reads and processes untrusted files from a codebase. Maliciously crafted content (e.g., comments or strings) within a scanned project could potentially influence the agent's behavior when it interprets the resulting security report. The skill includes some mitigation by using exclusion lists for binary and minified files.
Ingestion points: File content is read by grep in detect-secrets.sh and Path.read_text() in owasp-check.py.
Boundary markers: None explicitly enforced in the report output to the agent.
Capability inventory: The skill has access to Bash, Read, Write, and Edit tools.
Sanitization: The scripts use jq to ensure valid JSON structure for the reports, which provides basic escaping for the findings data.

security-auditor