The Agent Skills Directory

[SAFE]: The skill proactively protects sensitive information by automatically adding the audit output directory (.security/) to the project's .gitignore file. This prevents vulnerability reports or discovered secrets from being accidentally committed to version control.\n- [COMMAND_EXECUTION]: The skill executes standard security scanners and package manager commands (e.g., npm audit, trivy, semgrep). All shell commands are governed by timeout to prevent resource exhaustion and ensure the agent remains responsive.\n- [EXTERNAL_DOWNLOADS]: The auditing tools utilized by the skill (such as Trivy and Snyk) connect to official vulnerability databases and registries. The skill mitigates supply chain risks by explicitly advising against dynamic remote configuration for Semgrep.\n- [PROMPT_INJECTION]: By performing targeted analysis of project files, the skill exposes an indirect prompt injection surface where malicious code within the audited project could attempt to influence the agent's security conclusions. This is categorized as low risk due to the skill's diagnostic nature and use of specific search patterns.

security-audit