The Agent Skills Directory

[COMMAND_EXECUTION]: The skill executes multiple external binaries and shell scripts to perform its scanning and remediation functions.
Evidence: The DependencyScanner class in resources/implementation-playbook.md uses subprocess.run to execute npm audit, safety check, govulncheck, and cargo audit.
Evidence: The automated update script (automated-dependency-update.sh) executes project-specific test suites (npm test, pytest, go test), which involves running code defined within the project being scanned.\n- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection from malicious manifest files being scanned.
Ingestion points: Data such as package names and vulnerability IDs are extracted from package.json, requirements.txt, and scanner JSON outputs in resources/implementation-playbook.md.
Boundary markers: Absent. No delimiters or instructions are used to prevent the agent from interpreting instructions embedded in the processed manifest data.
Capability inventory: The skill has the ability to execute arbitrary commands via subprocess.run and write files.
Sanitization: Absent. Extracted data is interpolated directly into Markdown reports without validation or escaping, allowing malicious content in package manifests to influence the agent's output.

security-scanning-security-dependencies