The Agent Skills Directory

[COMMAND_EXECUTION]: The skill instructs the agent to execute several package management and security auditing commands including npm, pip, poetry, uv, cargo, and go. These commands are used to discover project dependencies and check for security advisories within the intended scope of the skill.
[EXTERNAL_DOWNLOADS]: The installation instructions involve cloning the skill's source code from the author's GitHub repository. Additionally, the auditing tools referenced by the skill perform network operations to consult official package registries and vulnerability databases.
[PROMPT_INJECTION]: The skill possesses a surface for indirect prompt injection through its ingestion of untrusted repository data.
Ingestion points: The skill scans and reads content from package manifest files such as package.json, pyproject.toml, and Cargo.toml.
Boundary markers: No delimiters or explicit instructions are provided to the agent to prevent it from following commands that might be embedded within manifest metadata (e.g., package descriptions).
Capability inventory: The skill has the capability to execute shell commands and read various files on the system.
Sanitization: Manifest content is processed directly without sanitization or validation of the data provided.

dep-audit