The Agent Skills Directory

[PROMPT_INJECTION]: The skill includes extensive documentation of prompt injection and jailbreak patterns (e.g., 'ignore previous instructions', 'DAN mode') within 'references/prompt-injection-patterns.md' and 'scripts/scan_skill.py'. These are explicitly used as reference material for detection and are not executed against the agent. Additionally, the skill has an indirect prompt injection surface as it ingests untrusted skill code. Ingestion points: 'SKILL.md' and script files. Boundary markers: Results are presented in structured JSON. Capability inventory: 'Bash', 'Read', 'Grep', 'Glob'. Sanitization: The scanner script uses regex pattern matching for identification rather than interpreting the external content.\n- [DATA_EXFILTRATION]: Illustrative examples of malicious data exfiltration (HTTP, DNS, and file-based) are provided in 'references/dangerous-code-patterns.md' for educational and identification purposes.\n- [CREDENTIALS_UNSAFE]: The scanning script 'scripts/scan_skill.py' contains regex patterns for detecting hardcoded secrets like AWS keys, GitHub tokens, and OpenAI keys. These are static signatures used for analysis and do not contain actual sensitive credentials.\n- [COMMAND_EXECUTION]: The skill uses 'Bash' to run its bundled Python scanner. This use of the shell is justified by the skill's purpose and is restricted to executing the local analysis script.\n- [EXTERNAL_DOWNLOADS]: The skill specifies a dependency on 'pyyaml' using standard PEP 723 metadata. It uses 'uv run' for execution and implements safe deserialization using 'yaml.safe_load' in its script logic.

skill-scanner