The Agent Skills Directory

[PROMPT_INJECTION]: The skill presents a surface for indirect prompt injection as it processes external C/C++ source code and feeds the diagnostic messages to the agent. While the script performs escaping to maintain JSON integrity, it does not filter the natural language content of the tool outputs.
Ingestion points: C/C++ source files analyzed by clang-tidy and cppcheck in scripts/run_c_checks.sh.
Boundary markers: Analysis results are returned as structured JSON data as described in README.md and SKILL.md.
Capability inventory: The skill is authorized to use Bash, Read, Write, Edit, Glob, and Grep tools.
Sanitization: The run_c_checks.sh script escapes backslashes and double quotes in the message fields to prevent JSON syntax breakage.
[COMMAND_EXECUTION]: The bash script run_c_checks.sh utilizes variable expansion to construct shell commands for clang-tidy. In the run_clang_tidy function, the $file variable is appended to the command string without surrounding quotes (cmd="$cmd $file"), which could potentially lead to shell injection if a file name containing shell metacharacters is processed. However, since the files are sourced from local discovery via git or find, the risk is considered limited to the local environment.

c-verify-skill