The Agent Skills Directory

[PROMPT_INJECTION]: The skill incorporates a robust 'hard gate' in Step 3 of the workflow, utilizing AskUserQuestion to ensure explicit user consent is obtained for the proposed scan plan (including targets and rulesets) before any execution occurs.
[DATA_EXFILTRATION]: The instructions mandate the use of the --metrics=off flag for all Semgrep commands to prevent the transmission of scan telemetry or codebase data to external servers, which is a critical privacy control for security audits.
[EXTERNAL_DOWNLOADS]: The skill fetches configuration and rulesets from established security research organizations and technology providers (e.g., Trail of Bits, HashiCorp, Microsoft) via their official GitHub repositories and package registries.
[COMMAND_EXECUTION]: The skill manages scan execution and result processing through shell commands and a Python helper script (merge_sarif.py). The script employs safe subprocess execution patterns by using static argument lists and avoiding shell evaluation.
[REMOTE_CODE_EXECUTION]: The skill utilizes @microsoft/sarif-multitool via npx to perform result merging. This download targets a well-known service and is restricted to its documented purpose of processing static analysis results.

semgrep