The Agent Skills Directory

[COMMAND_EXECUTION]: Legitimate use of shell commands through DDEV to run PHPStan and PHPCS for code linting and style enforcement. This behavior is essential for the skill's stated purpose.
[EXTERNAL_DOWNLOADS]: The skill facilitates the installation of PHP development dependencies from the official Packagist registry via Composer. These installations only occur after the user provides explicit consent.
[PROMPT_INJECTION]: Indirect prompt injection attack surface identified. 1. Ingestion points: Module source files (.php, .yml, .js) identified via Glob and Read in SKILL.md. 2. Boundary markers: Structured sub-agent prompts in references/prompts-agentes.md use list delimiters. 3. Capability inventory: Bash, Agent, and Write/Edit capabilities. 4. Sanitization: None; the skill relies on specialized sub-agent instructions to 'only report' findings. This surface is assessed as safe given the context of a security auditing tool.
[SAFE]: No malicious patterns, obfuscation, or unauthorized data exfiltration were detected. The skill follows secret management best practices by advising users to store sensitive tokens in secure storage (Settings or State API) rather than exportable configuration.

lint-drupal-module