The Agent Skills Directory

[EXTERNAL_DOWNLOADS]: The skill connects to well-known technology services and package registries, including registry.npmjs.org, pypi.org, rubygems.org, and bundlephobia.com, to fetch vulnerability data and package metadata required for auditing.
[DATA_EXFILTRATION]: Project dependency names and versions are sent to external vulnerability databases and size analysis APIs. This is the primary intended behavior of the skill to perform its security assessment.
[COMMAND_EXECUTION]: The implementation playbook provides remediation scripts that execute package management commands such as npm audit fix, npm update, and pip install to address identified vulnerabilities.
[PROMPT_INJECTION]: The skill utilizes the $ARGUMENTS placeholder to receive instructions from the user, which defines the scope of the dependency discovery and analysis.
[PROMPT_INJECTION]: The skill identifies a potential attack surface for indirect prompt injection by processing untrusted data from project manifest files.
Ingestion points: The skill reads files including package.json, requirements.txt, go.mod, and Cargo.toml from the codebase being audited.
Boundary markers: Files are parsed as structured JSON, YAML, or TOML data; however, no explicit security delimiters are defined to isolate untrusted content from the agent's instructions.
Capability inventory: The skill possesses the capability to perform network requests via requests and fetch, and modify the environment via shell scripts.
Sanitization: No specific sanitization or validation of the manifest file content is performed prior to analysis.

codebase-cleanup-deps-audit