The Agent Skills Directory

[COMMAND_EXECUTION]: The skill includes a Python script (scripts/diff_lock.py) that uses subprocess.run to execute git show. This functionality allows the agent to read package-lock.json content from different git references to compare dependency changes.
[COMMAND_EXECUTION]: The provided documentation (references/upgrade-workflow.md) contains a shell script that uses node -e to programmatically inspect package.json files within the node_modules directory to check for engine constraints.
[PROMPT_INJECTION]: Indirect Prompt Injection Surface.
Ingestion points: The skill ingests data from package-lock.json and npm audit JSON output, which are influenced by external package registries and project contributors.
Boundary markers: Absent; the skill relies on standard JSON parsing without explicit instructions to ignore embedded commands in package names or metadata.
Capability inventory: The skill has the capability to execute npm install, npm uninstall, and git checkout commands based on the analyzed data.
Sanitization: Uses standard json parsing in Python and jq for shell commands, which validates structure but does not sanitize the semantic content of package names or version strings.

npm-upgrade