The Agent Skills Directory

[COMMAND_EXECUTION]: The skill utilizes several standard shell utilities to perform its analysis tasks.
Employs find, grep, ls, cat, and wc to map directory structures, count files, and search for specific code patterns (e.g., TODOs, framework indicators).
Uses git commands such as git remote -v to retrieve repository metadata and git add/commit to install and version-control project-specific slash commands.
Implements a safeguard in its bash scripts and TypeScript logic to stop directory traversal when a .git directory is found, ensuring the agent stays within the repository boundaries.
[DATA_EXFILTRATION]: The skill performs discovery of potentially sensitive information to evaluate the application's configuration and security posture.
Explicitly searches for .env files and string patterns like jwt, api_key, and database connection strings (postgres, mysql) within the codebase.
This data is used solely to generate the local analysis-report.md and assess documentation coverage; no network operations were detected that would transmit this information to external servers.
[PROMPT_INJECTION]: The skill is subject to indirect prompt injection due to its processing of untrusted codebase content.
Ingestion points: The skill reads data from README.md, source code comments (TODO, FIXME), and manifest files like package.json across the entire analyzed project.
Boundary markers: Extracted content is interpolated into the analysis-report.md template using markdown headers and bullet points; however, it lacks explicit instructions for future agent sessions to ignore embedded commands within the report.
Capability inventory: The skill possesses file read/write capabilities and the ability to execute git and shell commands.
Sanitization: No sanitization or escaping of the extracted text (such as code comments) is performed before it is written to the analysis report.

analyze