The Agent Skills Directory

[COMMAND_EXECUTION]: Several Python scripts in the scripts/ directory use subprocess.call() to orchestrate internal tasks. For example, batch_convert_templates.py and various wrapper scripts like convert_to_csv.py invoke convert_formats.py using the current Python interpreter (sys.executable). This is a legitimate and safe use of subprocess for internal tool coordination, and it does not utilize shell=True or incorporate untrusted external input.
[DATA_EXFILTRATION]: The skill does not contain any network-related operations, such as curl, wget, or HTTP requests. It operates entirely on local file inputs provided by the user for the purpose of generating reports and testing plans. No hardcoded credentials or access to sensitive system paths (like .ssh or .aws) were found.
[PROMPT_INJECTION]: The prompts/security-testing.md file provides clear, defensive instructions for the agent to act as a senior QA expert. It focuses on risk reduction and safe validation without any attempts to bypass safety filters or provide offensive exploitation guidance.
[REMOTE_CODE_EXECUTION]: There are no patterns suggesting the download or execution of remote scripts. The installation scripts mentioned in the README are local to the repository, and the functional scripts do not ingest data from remote sources.

security-testing