The Agent Skills Directory

[EXTERNAL_DOWNLOADS]: The skill provides guidance on using official security advisory databases such as the National Vulnerability Database (NVD), GitHub Advisory Database, and OSV. It also references official package registries including PyPI, npm, and crates.io for metadata and health checks. These are well-known, trusted technology services used for legitimate security auditing purposes.
[COMMAND_EXECUTION]: The workflow documentation describes the use of standard package management and auditing CLI tools, including npm audit, pip-audit, cargo audit, and uv. These commands are essential for performing the security and health assessments described in the skill's primary purpose.
[PROMPT_INJECTION]: The skill's function involves analyzing untrusted project metadata (manifests and lock files), which presents an indirect prompt injection surface. * Ingestion points: Dependency manifest files (package.json, requirements.txt, Cargo.toml, go.mod, etc.) and lock files. * Boundary markers: Not explicitly defined in the provided instructions; however, the skill focuses on structured data analysis rather than direct execution of instructions found within these files. * Capability inventory: The skill suggests executing shell commands to run specialized auditing and tree-parsing tools. * Sanitization: The skill relies on the inherent parsing and validation mechanisms of the recommended auditing tools (e.g., npm, pip, cargo).

dependency-audit