The Agent Skills Directory

[SAFE]: The skill is a standard developer tool with no malicious patterns. It does not attempt to exfiltrate data, access sensitive credentials, or establish persistence on the system.- [PROMPT_INJECTION]: The skill presents an indirect prompt injection surface as it processes external package metadata which is not under the immediate control of the user. Ingestion points: Dependency names and license strings retrieved from local project files (e.g., pubspec.yaml) via the license auditing tool. Boundary markers: Absent; there are no instructions for the agent to use delimiters or safety guards when processing the retrieved metadata. Capability inventory: The skill is restricted to file reading, pattern matching (Glob/Grep), and license checking; it has no network write or arbitrary command execution capabilities enabled. Sanitization: Not explicitly performed on the ingested license strings before report generation.

vgv-license-compliance