The Agent Skills Directory

[EXTERNAL_DOWNLOADS]: The skill fetches security advisories and release artifacts from GitHub repositories associated with the author (prompt-security/ClawSec). This behavior is consistent with the skill's stated purpose of providing a centralized threat intelligence feed.
[COMMAND_EXECUTION]: The installation process and feed parsing utilize shell utilities including curl, jq, unzip, and shasum. The provided scripts demonstrate high security awareness by implementing guards against zip bombs, verifying SHA-256 checksums for all downloads, and checking for path traversal vulnerabilities in archives.
[PROMPT_INJECTION]: The skill processes an external JSON feed from a remote URL to inform agent decisions, which creates a surface for indirect prompt injection.
Ingestion points: advisories/feed.json (fetched via curl in SKILL.md).
Boundary markers: Absent; the feed content is processed directly into agent logic without explicit delimiters or instructions to ignore embedded commands.
Capability inventory: The skill facilitates file system modifications, network requests, and execution of shell commands for installation and monitoring.
Sanitization: Uses jq for structured data extraction and applies regex validation (^[a-zA-Z0-9_-]+$) to skill names before processing them in shell loops.

clawsec-feed