The Agent Skills Directory

EXTERNAL_DOWNLOADS (LOW): The skill instructs the user to install OSV-Scanner from github.com/google/osv-scanner. Per the security guidelines, downloads from trusted sources like Google are downgraded to LOW.- COMMAND_EXECUTION (LOW): The skill executes the osv-scanner binary with various flags to scan directories and lockfiles. This is legitimate behavior for a security audit tool.- PROMPT_INJECTION (LOW): (Indirect) The skill processes untrusted external data (lockfiles and SBOMs). Mandatory Evidence: 1. Ingestion points: Local project directory and lockfiles (e.g., package-lock.json). 2. Boundary markers: None. 3. Capability inventory: Subprocess execution of osv-scanner and file system read/write. 4. Sanitization: None. While malicious content in these files could theoretically attempt to influence the agent's summary, the capability tier is LOW as it primarily results in a summary display.

sca-osv-scanner