The Agent Skills Directory

[COMMAND_EXECUTION]: The DependencyScanner class in resources/implementation-playbook.md uses subprocess.run to execute several command-line tools including npm audit, safety check, govulncheck, and cargo audit. These are used to collect vulnerability data.
[EXTERNAL_DOWNLOADS]: The skill recommends the installation of various third-party security tools from official package registries (e.g., pip install safety pip-audit, npm install -g snyk). Additionally, the automated-dependency-update.sh script executes commands that download external code, such as npm install and go get.
[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection when processing project files. 1. Ingestion points: Manifest files like package.json, requirements.txt, go.mod, and Cargo.toml are read from the filesystem. 2. Boundary markers: No explicit markers or 'ignore instructions' directives are used when processing the data. 3. Capability inventory: The skill can execute subprocesses for scanning and fixing dependencies, and it generates summary reports. 4. Sanitization: Input is parsed as JSON/text, but package names and versions are interpolated into Markdown reports without specific sanitization against injection attacks.

security-scanning-security-dependencies