The Agent Skills Directory

The audit-code skill is a security-focused code reviewer. It explicitly declares allowed-tools: Bash and executes a Python script (audit_code.py) via Bash, passing user-controlled $ARGUMENTS. The Python script then takes this argument as a target_path.

Findings:

COMMAND_EXECUTION (LOW): The skill uses allowed-tools: Bash and executes a Python script. The Python script takes $ARGUMENTS as input, which is then used as a file path. While the Python script (Path(sys.argv[1]).resolve()) handles the path safely for its intended purpose (reading files for auditing), the explicit allowance of Bash and user-controlled input is a powerful primitive. However, given the skill's purpose as a code auditor, this capability is necessary and appears to be handled responsibly within the Python script.
DATA_EXFILTRATION (INFO): The audit_code.py script reads the content of various files, including potentially sensitive .env files and other source code, as part of its core functionality to detect secrets and vulnerabilities. It also checks file permissions on sensitive files like private keys. While it accesses sensitive data, there is no evidence of this data being sent to external servers. The script's output is a report printed to stdout. This data access is inherent to its legitimate security auditing function.
No Obfuscation: No obfuscation techniques (Base64, zero-width characters, homoglyphs, etc.) were found within the skill's own files.
No Unverifiable Dependencies: The Python script imports patterns.py locally from the same skill directory. There are no external package installations (pip install, npm install) or downloads from untrusted sources.
No Privilege Escalation: The skill does not attempt to use sudo, chmod 777 (it detects it, which is good), or install system services.
No Persistence Mechanisms: No attempts to modify shell configurations, cron jobs, or other persistence mechanisms were detected.
No Metadata Poisoning: The SKILL.md description and _meta.json are clean and do not contain any malicious instructions or hidden payloads.
No Prompt Injection: The skill's instructions and code do not contain any prompt injection attempts. The patterns.py file defines patterns to detect prompt injection, but the skill itself does not use them maliciously.
No Time-Delayed / Conditional Attacks: No logic was found to trigger malicious behavior based on time, usage, or environment conditions.

Conclusion: The audit-code skill is a legitimate security tool. Its design, including the use of disable-model-invocation: true and context: fork, indicates an awareness of security best practices. While it uses powerful capabilities like Bash execution and sensitive file access, these are necessary for its stated purpose and appear to be implemented safely within the provided Python scripts. The overall risk is considered LOW because the skill itself is designed to enhance security rather than compromise it, and its internal logic does not show malicious intent.