The Agent Skills Directory

[COMMAND_EXECUTION]: The skill defines a set of permitted shell commands to facilitate its auditing workflow. Evidence: SKILL.md allows the execution of python3 {SKILL_DIR}/scripts/scan_skill.py, git clone, and npx skills add. Analysis: These commands are necessary for repository management, automated scanning, and skill installation. The workflow includes a safe cleanup command with path validation to prevent directory traversal or unauthorized deletions.
[EXTERNAL_DOWNLOADS]: The skill downloads code from remote GitHub repositories for analysis. Evidence: SKILL.md (Phase 0) describes the resolution and cloning of user-provided GitHub URLs. Analysis: This is the primary function of the tool. The skill implements security controls such as strict URL pattern validation and the use of unique temporary directories for isolation.
[PROMPT_INJECTION]: The skill contains instructional text regarding prompt injection and an inherent surface for indirect injection. Evidence: The references/security-checklist.md and SKILL.md mention phrases like "ignore previous instructions" as risk indicators to scan for. Analysis: These are part of the skill's logic for identifying threats in other skills and do not represent malicious intent. Indirect Prompt Injection Surface: 1. Ingestion points: Untrusted content from cloned repositories is read into the agent context in SKILL.md (Phase 1.3-1.5). 2. Boundary markers: Instructions explicitly mandate treating all target files as data, ignoring instructions within them, and utilizing sub-agents for isolation. 3. Capability inventory: Access to git, python3, and npx utilities. 4. Sanitization: Uses an automated static analysis scanner (scan_skill.py) to detect and redact potential secrets before manual analysis.

skill-auditor