The Agent Skills Directory

[COMMAND_EXECUTION] (MEDIUM): The README.md and .claude-plugin/plugin.json files explicitly reference the execution of shell scripts such as ./scripts/review-skill.sh and ./scripts/install-skill.sh. These scripts are central to the skill's functionality but their source code is missing from the package, preventing a safety review of the commands being run on the host system.
[DYNAMIC_EXECUTION] (MEDIUM): The skill claims to 'Fixes automatically where clear' (Phase 8 of its process). This implies the ability to write or modify executable scripts and configuration files. If the auditor agent is misled by a malicious skill being reviewed, it could be coerced into writing backdoors or insecure code.
[EXTERNAL_DOWNLOADS] (LOW): The skill uses tools like 'WebFetch' and 'Context7' to access the npm registry, GitHub, and official documentation sites. While consistent with its stated purpose of verifying version currency and API accuracy, it establishes outbound network dependencies.
[PROMPT_INJECTION] (LOW): As an auditing tool (Category 8: Indirect Prompt Injection), this skill has a significant attack surface. It ingests untrusted data from other skills (Ingestion points: SKILL.md, scripts, and README files of audited skills). It lacks boundary markers or sanitization logic to prevent instructions within the audited data from influencing the agent during the 'Fix Implementation' or 'Post-Fix Verification' phases. Capability inventory includes subprocess execution, file-writing, and network operations.

skill-review