The Agent Skills Directory

[COMMAND_EXECUTION]: The shell scripts in the scripts/ directory (analyze-graphql.sh, analyze-openapi.sh, analyze-protobuf.sh, and generate-compliance-badge.sh) use standard Unix utilities such as find, grep, awk, and cat to analyze local project files and generate compliance reports in JSON or SVG formats.
[EXTERNAL_DOWNLOADS]: The documentation and badge generation scripts reference img.shields.io, a well-known service for generating status badges. These references are used for displaying compliance scores and do not involve downloading executable code from untrusted sources.
[PROMPT_INJECTION]: The skill possesses an indirect prompt injection attack surface because it processes untrusted external data from API specifications and implementation source code.
Ingestion points: The skill reads content from files provided as arguments to the analysis scripts, such as OPENAPI_FILE, GRAPHQL_SCHEMA, and PROTO_FILE, and scans source code directories.
Boundary markers: There are no explicit markers or instructions to the agent to ignore potentially malicious embedded content within the analyzed files.
Capability inventory: Capabilities are limited to local file system reads and static pattern matching using regex; no dynamic execution or network exfiltration of processed data was identified.
Sanitization: The scripts perform pattern-based extraction using standard utilities but do not implement formal sanitization for text processed by the agent.

spec-gap-analysis