Skip to content

chore(deps): update getsentry/skills digest to 0493d77#601

Open
renovate[bot] wants to merge 1 commit intomainfrom
renovate/getsentry-skills-digest
Open

chore(deps): update getsentry/skills digest to 0493d77#601
renovate[bot] wants to merge 1 commit intomainfrom
renovate/getsentry-skills-digest

Conversation

@renovate
Copy link
Copy Markdown
Contributor

@renovate renovate Bot commented May 1, 2026

This PR contains the following updates:

Package Update Change
getsentry/skills digest f2cff980493d77

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot added the dependencies label May 1, 2026
@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 1, 2026

🛡️ Skill Security Scan Results

✅ agents-md

  • Status: Passed
  • Findings: 5
  • Allowed (not blocking): 1
    • MANIFEST_MISSING_LICENSE (Allowed: getsentry/skills is licensed Apache-2.0 at the repository root; upstream does not embed an SPDX license identifier in per-skill SKILL.md frontmatter.)

✅ claude-settings-audit

  • Status: Passed
  • Findings: 5
  • Allowed (not blocking): 1
    • MANIFEST_MISSING_LICENSE (Allowed: getsentry/skills is licensed Apache-2.0 at the repository root; upstream does not embed an SPDX license identifier in per-skill SKILL.md frontmatter.)

✅ code-review

  • Status: Passed
  • Findings: 1
  • Allowed (not blocking): 1
    • MANIFEST_MISSING_LICENSE (Allowed: getsentry/skills is licensed Apache-2.0 at the repository root; upstream does not embed an SPDX license identifier in per-skill SKILL.md frontmatter.)

✅ code-simplifier

  • Status: Passed
  • Findings: 1
  • Allowed (not blocking): 1
    • MANIFEST_MISSING_LICENSE (Allowed: getsentry/skills is licensed Apache-2.0 at the repository root; upstream does not embed an SPDX license identifier in per-skill SKILL.md frontmatter.)

✅ commit

  • Status: Passed
  • Findings: 4
  • Allowed (not blocking): 1
    • MANIFEST_MISSING_LICENSE (Allowed: getsentry/skills is licensed Apache-2.0 at the repository root; upstream does not embed an SPDX license identifier in per-skill SKILL.md frontmatter.)

✅ create-branch

  • Status: Passed
  • Findings: 4
  • Allowed (not blocking): 1
    • MANIFEST_MISSING_LICENSE (Allowed: getsentry/skills is licensed Apache-2.0 at the repository root; upstream does not embed an SPDX license identifier in per-skill SKILL.md frontmatter.)

✅ django-access-review

  • Status: Passed
  • Findings: 2

✅ django-perf-review

  • Status: Passed
  • Findings: 0

✅ doc-coauthoring

  • Status: Passed
  • Findings: 4
  • Allowed (not blocking): 1
    • MANIFEST_MISSING_LICENSE (Allowed: getsentry/skills is licensed Apache-2.0 at the repository root; upstream does not embed an SPDX license identifier in per-skill SKILL.md frontmatter.)

✅ find-bugs

  • Status: Passed
  • Findings: 4
  • Allowed (not blocking): 1
    • MANIFEST_MISSING_LICENSE (Allowed: getsentry/skills is licensed Apache-2.0 at the repository root; upstream does not embed an SPDX license identifier in per-skill SKILL.md frontmatter.)

✅ gh-review-requests

  • Status: Passed
  • Findings: 3

✅ gha-security-review

  • Status: Passed
  • Findings: 96
  • Allowed (not blocking): 92
    • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, shell, exec,
      Eval, Pay in "Payload", checkout) inside a skill that documents how
      to spot CI exploitation. These are documentation strings, not tool calls
      the agent is instructed to make. The skill itself declares
      allowed-tools: Read, Grep, Glob, Bash, Task and is read-only by design.
      Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
      )
    • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, shell, exec,
      Eval, Pay in "Payload", checkout) inside a skill that documents how
      to spot CI exploitation. These are documentation strings, not tool calls
      the agent is instructed to make. The skill itself declares
      allowed-tools: Read, Grep, Glob, Bash, Task and is read-only by design.
      Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
      )
    • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, shell, exec,
      Eval, Pay in "Payload", checkout) inside a skill that documents how
      to spot CI exploitation. These are documentation strings, not tool calls
      the agent is instructed to make. The skill itself declares
      allowed-tools: Read, Grep, Glob, Bash, Task and is read-only by design.
      Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
      )
    • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, shell, exec,
      Eval, Pay in "Payload", checkout) inside a skill that documents how
      to spot CI exploitation. These are documentation strings, not tool calls
      the agent is instructed to make. The skill itself declares
      allowed-tools: Read, Grep, Glob, Bash, Task and is read-only by design.
      Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
      )
    • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, shell, exec,
      Eval, Pay in "Payload", checkout) inside a skill that documents how
      to spot CI exploitation. These are documentation strings, not tool calls
      the agent is instructed to make. The skill itself declares
      allowed-tools: Read, Grep, Glob, Bash, Task and is read-only by design.
      Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
      )
    • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, shell, exec,
      Eval, Pay in "Payload", checkout) inside a skill that documents how
      to spot CI exploitation. These are documentation strings, not tool calls
      the agent is instructed to make. The skill itself declares
      allowed-tools: Read, Grep, Glob, Bash, Task and is read-only by design.
      Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
      )
    • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, shell, exec,
      Eval, Pay in "Payload", checkout) inside a skill that documents how
      to spot CI exploitation. These are documentation strings, not tool calls
      the agent is instructed to make. The skill itself declares
      allowed-tools: Read, Grep, Glob, Bash, Task and is read-only by design.
      Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
      )
    • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, shell, exec,
      Eval, Pay in "Payload", checkout) inside a skill that documents how
      to spot CI exploitation. These are documentation strings, not tool calls
      the agent is instructed to make. The skill itself declares
      allowed-tools: Read, Grep, Glob, Bash, Task and is read-only by design.
      Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
      )
    • ATR_MCP_MALICIOUS_RESPONSE (Allowed: False positive - this skill's purpose is to TEACH a reviewer how to find
      GitHub Actions exploits. Its SKILL.md necessarily contains the attack
      patterns it's looking for: pull_request_target, issue_comment with
      command parsing, ${{ }} in run: blocks, permissions: misconfig,
      run: step exec, etc. ATR_MCP_MALICIOUS_RESPONSE matches these in the
      skill's instructional/reference text. None of these are commands the
      agent is being told to run — they are descriptions of vulnerabilities to
      identify. Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
      )
    • PIPELINE_TAINT_FLOW (Allowed: The skill's reference material cites curl | bash and similar RCE patterns as instructional examples of supply-chain-style attacks detectable in CI workflows. The scanner itself flags these as 'found in documentation file — may be instructional rather than executable'.)
    • PIPELINE_TAINT_FLOW (Allowed: The skill's reference material cites curl | bash and similar RCE patterns as instructional examples of supply-chain-style attacks detectable in CI workflows. The scanner itself flags these as 'found in documentation file — may be instructional rather than executable'.)
    • PIPELINE_TAINT_FLOW (Allowed: The skill's reference material cites curl | bash and similar RCE patterns as instructional examples of supply-chain-style attacks detectable in CI workflows. The scanner itself flags these as 'found in documentation file — may be instructional rather than executable'.)
    • ATR_MCP_MALICIOUS_RESPONSE (Allowed: False positive - this skill's purpose is to TEACH a reviewer how to find
      GitHub Actions exploits. Its SKILL.md necessarily contains the attack
      patterns it's looking for: pull_request_target, issue_comment with
      command parsing, ${{ }} in run: blocks, permissions: misconfig,
      run: step exec, etc. ATR_MCP_MALICIOUS_RESPONSE matches these in the
      skill's instructional/reference text. None of these are commands the
      agent is being told to run — they are descriptions of vulnerabilities to
      identify. Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
      )
    • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, shell, exec,
      Eval, Pay in "Payload", checkout) inside a skill that documents how
      to spot CI exploitation. These are documentation strings, not tool calls
      the agent is instructed to make. The skill itself declares
      allowed-tools: Read, Grep, Glob, Bash, Task and is read-only by design.
      Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
      )
    • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, shell, exec,
      Eval, Pay in "Payload", checkout) inside a skill that documents how
      to spot CI exploitation. These are documentation strings, not tool calls
      the agent is instructed to make. The skill itself declares
      allowed-tools: Read, Grep, Glob, Bash, Task and is read-only by design.
      Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
      )
    • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, shell, exec,
      Eval, Pay in "Payload", checkout) inside a skill that documents how
      to spot CI exploitation. These are documentation strings, not tool calls
      the agent is instructed to make. The skill itself declares
      allowed-tools: Read, Grep, Glob, Bash, Task and is read-only by design.
      Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
      )
    • ATR_MCP_MALICIOUS_RESPONSE (Allowed: False positive - this skill's purpose is to TEACH a reviewer how to find
      GitHub Actions exploits. Its SKILL.md necessarily contains the attack
      patterns it's looking for: pull_request_target, issue_comment with
      command parsing, ${{ }} in run: blocks, permissions: misconfig,
      run: step exec, etc. ATR_MCP_MALICIOUS_RESPONSE matches these in the
      skill's instructional/reference text. None of these are commands the
      agent is being told to run — they are descriptions of vulnerabilities to
      identify. Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
      )
    • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, shell, exec,
      Eval, Pay in "Payload", checkout) inside a skill that documents how
      to spot CI exploitation. These are documentation strings, not tool calls
      the agent is instructed to make. The skill itself declares
      allowed-tools: Read, Grep, Glob, Bash, Task and is read-only by design.
      Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
      )
    • ATR_MCP_MALICIOUS_RESPONSE (Allowed: False positive - this skill's purpose is to TEACH a reviewer how to find
      GitHub Actions exploits. Its SKILL.md necessarily contains the attack
      patterns it's looking for: pull_request_target, issue_comment with
      command parsing, ${{ }} in run: blocks, permissions: misconfig,
      run: step exec, etc. ATR_MCP_MALICIOUS_RESPONSE matches these in the
      skill's instructional/reference text. None of these are commands the
      agent is being told to run — they are descriptions of vulnerabilities to
      identify. Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
      )
    • ATR_MCP_MALICIOUS_RESPONSE (Allowed: False positive - this skill's purpose is to TEACH a reviewer how to find
      GitHub Actions exploits. Its SKILL.md necessarily contains the attack
      patterns it's looking for: pull_request_target, issue_comment with
      command parsing, ${{ }} in run: blocks, permissions: misconfig,
      run: step exec, etc. ATR_MCP_MALICIOUS_RESPONSE matches these in the
      skill's instructional/reference text. None of these are commands the
      agent is being told to run — they are descriptions of vulnerabilities to
      identify. Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
      )
    • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, shell, exec,
      Eval, Pay in "Payload", checkout) inside a skill that documents how
      to spot CI exploitation. These are documentation strings, not tool calls
      the agent is instructed to make. The skill itself declares
      allowed-tools: Read, Grep, Glob, Bash, Task and is read-only by design.
      Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
      )
    • ATR_MCP_MALICIOUS_RESPONSE (Allowed: False positive - this skill's purpose is to TEACH a reviewer how to find
      GitHub Actions exploits. Its SKILL.md necessarily contains the attack
      patterns it's looking for: pull_request_target, issue_comment with
      command parsing, ${{ }} in run: blocks, permissions: misconfig,
      run: step exec, etc. ATR_MCP_MALICIOUS_RESPONSE matches these in the
      skill's instructional/reference text. None of these are commands the
      agent is being told to run — they are descriptions of vulnerabilities to
      identify. Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
      )
    • ATR_MCP_MALICIOUS_RESPONSE (Allowed: False positive - this skill's purpose is to TEACH a reviewer how to find
      GitHub Actions exploits. Its SKILL.md necessarily contains the attack
      patterns it's looking for: pull_request_target, issue_comment with
      command parsing, ${{ }} in run: blocks, permissions: misconfig,
      run: step exec, etc. ATR_MCP_MALICIOUS_RESPONSE matches these in the
      skill's instructional/reference text. None of these are commands the
      agent is being told to run — they are descriptions of vulnerabilities to
      identify. Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
      )
    • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, shell, exec,
      Eval, Pay in "Payload", checkout) inside a skill that documents how
      to spot CI exploitation. These are documentation strings, not tool calls
      the agent is instructed to make. The skill itself declares
      allowed-tools: Read, Grep, Glob, Bash, Task and is read-only by design.
      Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
      )
    • ATR_MCP_MALICIOUS_RESPONSE (Allowed: False positive - this skill's purpose is to TEACH a reviewer how to find
      GitHub Actions exploits. Its SKILL.md necessarily contains the attack
      patterns it's looking for: pull_request_target, issue_comment with
      command parsing, ${{ }} in run: blocks, permissions: misconfig,
      run: step exec, etc. ATR_MCP_MALICIOUS_RESPONSE matches these in the
      skill's instructional/reference text. None of these are commands the
      agent is being told to run — they are descriptions of vulnerabilities to
      identify. Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
      )
    • ATR_MCP_MALICIOUS_RESPONSE (Allowed: False positive - this skill's purpose is to TEACH a reviewer how to find
      GitHub Actions exploits. Its SKILL.md necessarily contains the attack
      patterns it's looking for: pull_request_target, issue_comment with
      command parsing, ${{ }} in run: blocks, permissions: misconfig,
      run: step exec, etc. ATR_MCP_MALICIOUS_RESPONSE matches these in the
      skill's instructional/reference text. None of these are commands the
      agent is being told to run — they are descriptions of vulnerabilities to
      identify. Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
      )
    • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, shell, exec,
      Eval, Pay in "Payload", checkout) inside a skill that documents how
      to spot CI exploitation. These are documentation strings, not tool calls
      the agent is instructed to make. The skill itself declares
      allowed-tools: Read, Grep, Glob, Bash, Task and is read-only by design.
      Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
      )
    • ATR_MCP_MALICIOUS_RESPONSE (Allowed: False positive - this skill's purpose is to TEACH a reviewer how to find
      GitHub Actions exploits. Its SKILL.md necessarily contains the attack
      patterns it's looking for: pull_request_target, issue_comment with
      command parsing, ${{ }} in run: blocks, permissions: misconfig,
      run: step exec, etc. ATR_MCP_MALICIOUS_RESPONSE matches these in the
      skill's instructional/reference text. None of these are commands the
      agent is being told to run — they are descriptions of vulnerabilities to
      identify. Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
      )
    • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, shell, exec,
      Eval, Pay in "Payload", checkout) inside a skill that documents how
      to spot CI exploitation. These are documentation strings, not tool calls
      the agent is instructed to make. The skill itself declares
      allowed-tools: Read, Grep, Glob, Bash, Task and is read-only by design.
      Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
      )
    • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, shell, exec,
      Eval, Pay in "Payload", checkout) inside a skill that documents how
      to spot CI exploitation. These are documentation strings, not tool calls
      the agent is instructed to make. The skill itself declares
      allowed-tools: Read, Grep, Glob, Bash, Task and is read-only by design.
      Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
      )
    • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, shell, exec,
      Eval, Pay in "Payload", checkout) inside a skill that documents how
      to spot CI exploitation. These are documentation strings, not tool calls
      the agent is instructed to make. The skill itself declares
      allowed-tools: Read, Grep, Glob, Bash, Task and is read-only by design.
      Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
      )
    • ATR_MCP_MALICIOUS_RESPONSE (Allowed: False positive - this skill's purpose is to TEACH a reviewer how to find
      GitHub Actions exploits. Its SKILL.md necessarily contains the attack
      patterns it's looking for: pull_request_target, issue_comment with
      command parsing, ${{ }} in run: blocks, permissions: misconfig,
      run: step exec, etc. ATR_MCP_MALICIOUS_RESPONSE matches these in the
      skill's instructional/reference text. None of these are commands the
      agent is being told to run — they are descriptions of vulnerabilities to
      identify. Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
      )
    • ATR_MCP_MALICIOUS_RESPONSE (Allowed: False positive - this skill's purpose is to TEACH a reviewer how to find
      GitHub Actions exploits. Its SKILL.md necessarily contains the attack
      patterns it's looking for: pull_request_target, issue_comment with
      command parsing, ${{ }} in run: blocks, permissions: misconfig,
      run: step exec, etc. ATR_MCP_MALICIOUS_RESPONSE matches these in the
      skill's instructional/reference text. None of these are commands the
      agent is being told to run — they are descriptions of vulnerabilities to
      identify. Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
      )
    • ATR_MCP_MALICIOUS_RESPONSE (Allowed: False positive - this skill's purpose is to TEACH a reviewer how to find
      GitHub Actions exploits. Its SKILL.md necessarily contains the attack
      patterns it's looking for: pull_request_target, issue_comment with
      command parsing, ${{ }} in run: blocks, permissions: misconfig,
      run: step exec, etc. ATR_MCP_MALICIOUS_RESPONSE matches these in the
      skill's instructional/reference text. None of these are commands the
      agent is being told to run — they are descriptions of vulnerabilities to
      identify. Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
      )
    • ATR_MCP_MALICIOUS_RESPONSE (Allowed: False positive - this skill's purpose is to TEACH a reviewer how to find
      GitHub Actions exploits. Its SKILL.md necessarily contains the attack
      patterns it's looking for: pull_request_target, issue_comment with
      command parsing, ${{ }} in run: blocks, permissions: misconfig,
      run: step exec, etc. ATR_MCP_MALICIOUS_RESPONSE matches these in the
      skill's instructional/reference text. None of these are commands the
      agent is being told to run — they are descriptions of vulnerabilities to
      identify. Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
      )
    • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, shell, exec,
      Eval, Pay in "Payload", checkout) inside a skill that documents how
      to spot CI exploitation. These are documentation strings, not tool calls
      the agent is instructed to make. The skill itself declares
      allowed-tools: Read, Grep, Glob, Bash, Task and is read-only by design.
      Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
      )
    • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, shell, exec,
      Eval, Pay in "Payload", checkout) inside a skill that documents how
      to spot CI exploitation. These are documentation strings, not tool calls
      the agent is instructed to make. The skill itself declares
      allowed-tools: Read, Grep, Glob, Bash, Task and is read-only by design.
      Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
      )
    • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, shell, exec,
      Eval, Pay in "Payload", checkout) inside a skill that documents how
      to spot CI exploitation. These are documentation strings, not tool calls
      the agent is instructed to make. The skill itself declares
      allowed-tools: Read, Grep, Glob, Bash, Task and is read-only by design.
      Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
      )
    • ATR_MCP_MALICIOUS_RESPONSE (Allowed: False positive - this skill's purpose is to TEACH a reviewer how to find
      GitHub Actions exploits. Its SKILL.md necessarily contains the attack
      patterns it's looking for: pull_request_target, issue_comment with
      command parsing, ${{ }} in run: blocks, permissions: misconfig,
      run: step exec, etc. ATR_MCP_MALICIOUS_RESPONSE matches these in the
      skill's instructional/reference text. None of these are commands the
      agent is being told to run — they are descriptions of vulnerabilities to
      identify. Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
      )
    • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, shell, exec,
      Eval, Pay in "Payload", checkout) inside a skill that documents how
      to spot CI exploitation. These are documentation strings, not tool calls
      the agent is instructed to make. The skill itself declares
      allowed-tools: Read, Grep, Glob, Bash, Task and is read-only by design.
      Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
      )
    • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, shell, exec,
      Eval, Pay in "Payload", checkout) inside a skill that documents how
      to spot CI exploitation. These are documentation strings, not tool calls
      the agent is instructed to make. The skill itself declares
      allowed-tools: Read, Grep, Glob, Bash, Task and is read-only by design.
      Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
      )
    • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, shell, exec,
      Eval, Pay in "Payload", checkout) inside a skill that documents how
      to spot CI exploitation. These are documentation strings, not tool calls
      the agent is instructed to make. The skill itself declares
      allowed-tools: Read, Grep, Glob, Bash, Task and is read-only by design.
      Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
      )
    • ATR_CONSENSUS_POISONING (Allowed: False positive - matches "fake approval" in references/ai-prompt-injection-via-ci.md,
      which describes the fake-approval/consensus-poisoning attack pattern as
      something a CI reviewer should look for. Documentation, not poisoning.
      Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
      )
    • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, shell, exec,
      Eval, Pay in "Payload", checkout) inside a skill that documents how
      to spot CI exploitation. These are documentation strings, not tool calls
      the agent is instructed to make. The skill itself declares
      allowed-tools: Read, Grep, Glob, Bash, Task and is read-only by design.
      Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
      )
    • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, shell, exec,
      Eval, Pay in "Payload", checkout) inside a skill that documents how
      to spot CI exploitation. These are documentation strings, not tool calls
      the agent is instructed to make. The skill itself declares
      allowed-tools: Read, Grep, Glob, Bash, Task and is read-only by design.
      Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
      )
    • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, shell, exec,
      Eval, Pay in "Payload", checkout) inside a skill that documents how
      to spot CI exploitation. These are documentation strings, not tool calls
      the agent is instructed to make. The skill itself declares
      allowed-tools: Read, Grep, Glob, Bash, Task and is read-only by design.
      Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
      )
    • ATR_MCP_MALICIOUS_RESPONSE (Allowed: False positive - this skill's purpose is to TEACH a reviewer how to find
      GitHub Actions exploits. Its SKILL.md necessarily contains the attack
      patterns it's looking for: pull_request_target, issue_comment with
      command parsing, ${{ }} in run: blocks, permissions: misconfig,
      run: step exec, etc. ATR_MCP_MALICIOUS_RESPONSE matches these in the
      skill's instructional/reference text. None of these are commands the
      agent is being told to run — they are descriptions of vulnerabilities to
      identify. Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
      )
    • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, shell, exec,
      Eval, Pay in "Payload", checkout) inside a skill that documents how
      to spot CI exploitation. These are documentation strings, not tool calls
      the agent is instructed to make. The skill itself declares
      allowed-tools: Read, Grep, Glob, Bash, Task and is read-only by design.
      Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
      )
    • ATR_MCP_MALICIOUS_RESPONSE (Allowed: False positive - this skill's purpose is to TEACH a reviewer how to find
      GitHub Actions exploits. Its SKILL.md necessarily contains the attack
      patterns it's looking for: pull_request_target, issue_comment with
      command parsing, ${{ }} in run: blocks, permissions: misconfig,
      run: step exec, etc. ATR_MCP_MALICIOUS_RESPONSE matches these in the
      skill's instructional/reference text. None of these are commands the
      agent is being told to run — they are descriptions of vulnerabilities to
      identify. Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
      )
    • ATR_MCP_MALICIOUS_RESPONSE (Allowed: False positive - this skill's purpose is to TEACH a reviewer how to find
      GitHub Actions exploits. Its SKILL.md necessarily contains the attack
      patterns it's looking for: pull_request_target, issue_comment with
      command parsing, ${{ }} in run: blocks, permissions: misconfig,
      run: step exec, etc. ATR_MCP_MALICIOUS_RESPONSE matches these in the
      skill's instructional/reference text. None of these are commands the
      agent is being told to run — they are descriptions of vulnerabilities to
      identify. Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
      )
    • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, shell, exec,
      Eval, Pay in "Payload", checkout) inside a skill that documents how
      to spot CI exploitation. These are documentation strings, not tool calls
      the agent is instructed to make. The skill itself declares
      allowed-tools: Read, Grep, Glob, Bash, Task and is read-only by design.
      Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
      )
    • ATR_MCP_MALICIOUS_RESPONSE (Allowed: False positive - this skill's purpose is to TEACH a reviewer how to find
      GitHub Actions exploits. Its SKILL.md necessarily contains the attack
      patterns it's looking for: pull_request_target, issue_comment with
      command parsing, ${{ }} in run: blocks, permissions: misconfig,
      run: step exec, etc. ATR_MCP_MALICIOUS_RESPONSE matches these in the
      skill's instructional/reference text. None of these are commands the
      agent is being told to run — they are descriptions of vulnerabilities to
      identify. Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
      )
    • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, shell, exec,
      Eval, Pay in "Payload", checkout) inside a skill that documents how
      to spot CI exploitation. These are documentation strings, not tool calls
      the agent is instructed to make. The skill itself declares
      allowed-tools: Read, Grep, Glob, Bash, Task and is read-only by design.
      Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
      )
    • ATR_MCP_MALICIOUS_RESPONSE (Allowed: False positive - this skill's purpose is to TEACH a reviewer how to find
      GitHub Actions exploits. Its SKILL.md necessarily contains the attack
      patterns it's looking for: pull_request_target, issue_comment with
      command parsing, ${{ }} in run: blocks, permissions: misconfig,
      run: step exec, etc. ATR_MCP_MALICIOUS_RESPONSE matches these in the
      skill's instructional/reference text. None of these are commands the
      agent is being told to run — they are descriptions of vulnerabilities to
      identify. Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
      )
    • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, shell, exec,
      Eval, Pay in "Payload", checkout) inside a skill that documents how
      to spot CI exploitation. These are documentation strings, not tool calls
      the agent is instructed to make. The skill itself declares
      allowed-tools: Read, Grep, Glob, Bash, Task and is read-only by design.
      Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
      )
    • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, shell, exec,
      Eval, Pay in "Payload", checkout) inside a skill that documents how
      to spot CI exploitation. These are documentation strings, not tool calls
      the agent is instructed to make. The skill itself declares
      allowed-tools: Read, Grep, Glob, Bash, Task and is read-only by design.
      Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
      )
    • ATR_MCP_MALICIOUS_RESPONSE (Allowed: False positive - this skill's purpose is to TEACH a reviewer how to find
      GitHub Actions exploits. Its SKILL.md necessarily contains the attack
      patterns it's looking for: pull_request_target, issue_comment with
      command parsing, ${{ }} in run: blocks, permissions: misconfig,
      run: step exec, etc. ATR_MCP_MALICIOUS_RESPONSE matches these in the
      skill's instructional/reference text. None of these are commands the
      agent is being told to run — they are descriptions of vulnerabilities to
      identify. Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
      )
    • ATR_SUPPLY_CHAIN_POISONING (Allowed: False positive (14 hits) - matches curl https://attacker...,
      curl -sSfL ...attacker, "request content, attacker", "HTTP exfil",
      and similar attack-pattern strings inside the skill's reference docs
      (references/ai-prompt-injection-via-ci.md, comment-triggered-commands.md,
      credential-escalation.md, expression-injection.md, pwn-request.md).
      These are deliberate hostile-payload examples included so the skill can
      teach reviewers what supply-chain poisoning looks like in CI. They are
      not commands the agent runs. Verified at digest
      5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
      )
    • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, shell, exec,
      Eval, Pay in "Payload", checkout) inside a skill that documents how
      to spot CI exploitation. These are documentation strings, not tool calls
      the agent is instructed to make. The skill itself declares
      allowed-tools: Read, Grep, Glob, Bash, Task and is read-only by design.
      Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
      )
    • ATR_MCP_MALICIOUS_RESPONSE (Allowed: False positive - this skill's purpose is to TEACH a reviewer how to find
      GitHub Actions exploits. Its SKILL.md necessarily contains the attack
      patterns it's looking for: pull_request_target, issue_comment with
      command parsing, ${{ }} in run: blocks, permissions: misconfig,
      run: step exec, etc. ATR_MCP_MALICIOUS_RESPONSE matches these in the
      skill's instructional/reference text. None of these are commands the
      agent is being told to run — they are descriptions of vulnerabilities to
      identify. Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
      )
    • ATR_MCP_MALICIOUS_RESPONSE (Allowed: False positive - this skill's purpose is to TEACH a reviewer how to find
      GitHub Actions exploits. Its SKILL.md necessarily contains the attack
      patterns it's looking for: pull_request_target, issue_comment with
      command parsing, ${{ }} in run: blocks, permissions: misconfig,
      run: step exec, etc. ATR_MCP_MALICIOUS_RESPONSE matches these in the
      skill's instructional/reference text. None of these are commands the
      agent is being told to run — they are descriptions of vulnerabilities to
      identify. Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
      )
    • ATR_MCP_MALICIOUS_RESPONSE (Allowed: False positive - this skill's purpose is to TEACH a reviewer how to find
      GitHub Actions exploits. Its SKILL.md necessarily contains the attack
      patterns it's looking for: pull_request_target, issue_comment with
      command parsing, ${{ }} in run: blocks, permissions: misconfig,
      run: step exec, etc. ATR_MCP_MALICIOUS_RESPONSE matches these in the
      skill's instructional/reference text. None of these are commands the
      agent is being told to run — they are descriptions of vulnerabilities to
      identify. Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
      )
    • ATR_TOOL_SSRF (Allowed: False positive - matches ::1 / loopback / metadata-host strings in
      the skill's reference docs about credential escalation and SSRF in
      GHA. Same root cause as ATR_SUPPLY_CHAIN_POISONING above: the skill
      documents SSRF attack patterns as part of teaching the reviewer to
      find them. Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
      )
    • ATR_TOOL_SSRF (Allowed: False positive - matches ::1 / loopback / metadata-host strings in
      the skill's reference docs about credential escalation and SSRF in
      GHA. Same root cause as ATR_SUPPLY_CHAIN_POISONING above: the skill
      documents SSRF attack patterns as part of teaching the reviewer to
      find them. Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
      )
    • ATR_MCP_MALICIOUS_RESPONSE (Allowed: False positive - this skill's purpose is to TEACH a reviewer how to find
      GitHub Actions exploits. Its SKILL.md necessarily contains the attack
      patterns it's looking for: pull_request_target, issue_comment with
      command parsing, ${{ }} in run: blocks, permissions: misconfig,
      run: step exec, etc. ATR_MCP_MALICIOUS_RESPONSE matches these in the
      skill's instructional/reference text. None of these are commands the
      agent is being told to run — they are descriptions of vulnerabilities to
      identify. Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
      )
    • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, shell, exec,
      Eval, Pay in "Payload", checkout) inside a skill that documents how
      to spot CI exploitation. These are documentation strings, not tool calls
      the agent is instructed to make. The skill itself declares
      allowed-tools: Read, Grep, Glob, Bash, Task and is read-only by design.
      Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
      )
    • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, shell, exec,
      Eval, Pay in "Payload", checkout) inside a skill that documents how
      to spot CI exploitation. These are documentation strings, not tool calls
      the agent is instructed to make. The skill itself declares
      allowed-tools: Read, Grep, Glob, Bash, Task and is read-only by design.
      Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
      )
    • ATR_MCP_MALICIOUS_RESPONSE (Allowed: False positive - this skill's purpose is to TEACH a reviewer how to find
      GitHub Actions exploits. Its SKILL.md necessarily contains the attack
      patterns it's looking for: pull_request_target, issue_comment with
      command parsing, ${{ }} in run: blocks, permissions: misconfig,
      run: step exec, etc. ATR_MCP_MALICIOUS_RESPONSE matches these in the
      skill's instructional/reference text. None of these are commands the
      agent is being told to run — they are descriptions of vulnerabilities to
      identify. Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
      )
    • ATR_MCP_MALICIOUS_RESPONSE (Allowed: False positive - this skill's purpose is to TEACH a reviewer how to find
      GitHub Actions exploits. Its SKILL.md necessarily contains the attack
      patterns it's looking for: pull_request_target, issue_comment with
      command parsing, ${{ }} in run: blocks, permissions: misconfig,
      run: step exec, etc. ATR_MCP_MALICIOUS_RESPONSE matches these in the
      skill's instructional/reference text. None of these are commands the
      agent is being told to run — they are descriptions of vulnerabilities to
      identify. Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
      )
    • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, shell, exec,
      Eval, Pay in "Payload", checkout) inside a skill that documents how
      to spot CI exploitation. These are documentation strings, not tool calls
      the agent is instructed to make. The skill itself declares
      allowed-tools: Read, Grep, Glob, Bash, Task and is read-only by design.
      Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
      )
    • ATR_MCP_MALICIOUS_RESPONSE (Allowed: False positive - this skill's purpose is to TEACH a reviewer how to find
      GitHub Actions exploits. Its SKILL.md necessarily contains the attack
      patterns it's looking for: pull_request_target, issue_comment with
      command parsing, ${{ }} in run: blocks, permissions: misconfig,
      run: step exec, etc. ATR_MCP_MALICIOUS_RESPONSE matches these in the
      skill's instructional/reference text. None of these are commands the
      agent is being told to run — they are descriptions of vulnerabilities to
      identify. Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
      )
    • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, shell, exec,
      Eval, Pay in "Payload", checkout) inside a skill that documents how
      to spot CI exploitation. These are documentation strings, not tool calls
      the agent is instructed to make. The skill itself declares
      allowed-tools: Read, Grep, Glob, Bash, Task and is read-only by design.
      Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
      )
    • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, shell, exec,
      Eval, Pay in "Payload", checkout) inside a skill that documents how
      to spot CI exploitation. These are documentation strings, not tool calls
      the agent is instructed to make. The skill itself declares
      allowed-tools: Read, Grep, Glob, Bash, Task and is read-only by design.
      Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
      )
    • ATR_MCP_MALICIOUS_RESPONSE (Allowed: False positive - this skill's purpose is to TEACH a reviewer how to find
      GitHub Actions exploits. Its SKILL.md necessarily contains the attack
      patterns it's looking for: pull_request_target, issue_comment with
      command parsing, ${{ }} in run: blocks, permissions: misconfig,
      run: step exec, etc. ATR_MCP_MALICIOUS_RESPONSE matches these in the
      skill's instructional/reference text. None of these are commands the
      agent is being told to run — they are descriptions of vulnerabilities to
      identify. Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
      )
    • ATR_MCP_MALICIOUS_RESPONSE (Allowed: False positive - this skill's purpose is to TEACH a reviewer how to find
      GitHub Actions exploits. Its SKILL.md necessarily contains the attack
      patterns it's looking for: pull_request_target, issue_comment with
      command parsing, ${{ }} in run: blocks, permissions: misconfig,
      run: step exec, etc. ATR_MCP_MALICIOUS_RESPONSE matches these in the
      skill's instructional/reference text. None of these are commands the
      agent is being told to run — they are descriptions of vulnerabilities to
      identify. Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
      )
    • ATR_MCP_MALICIOUS_RESPONSE (Allowed: False positive - this skill's purpose is to TEACH a reviewer how to find
      GitHub Actions exploits. Its SKILL.md necessarily contains the attack
      patterns it's looking for: pull_request_target, issue_comment with
      command parsing, ${{ }} in run: blocks, permissions: misconfig,
      run: step exec, etc. ATR_MCP_MALICIOUS_RESPONSE matches these in the
      skill's instructional/reference text. None of these are commands the
      agent is being told to run — they are descriptions of vulnerabilities to
      identify. Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
      )
    • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, shell, exec,
      Eval, Pay in "Payload", checkout) inside a skill that documents how
      to spot CI exploitation. These are documentation strings, not tool calls
      the agent is instructed to make. The skill itself declares
      allowed-tools: Read, Grep, Glob, Bash, Task and is read-only by design.
      Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
      )
    • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, shell, exec,
      Eval, Pay in "Payload", checkout) inside a skill that documents how
      to spot CI exploitation. These are documentation strings, not tool calls
      the agent is instructed to make. The skill itself declares
      allowed-tools: Read, Grep, Glob, Bash, Task and is read-only by design.
      Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
      )
    • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, shell, exec,
      Eval, Pay in "Payload", checkout) inside a skill that documents how
      to spot CI exploitation. These are documentation strings, not tool calls
      the agent is instructed to make. The skill itself declares
      allowed-tools: Read, Grep, Glob, Bash, Task and is read-only by design.
      Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
      )
    • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, shell, exec,
      Eval, Pay in "Payload", checkout) inside a skill that documents how
      to spot CI exploitation. These are documentation strings, not tool calls
      the agent is instructed to make. The skill itself declares
      allowed-tools: Read, Grep, Glob, Bash, Task and is read-only by design.
      Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
      )
    • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, shell, exec,
      Eval, Pay in "Payload", checkout) inside a skill that documents how
      to spot CI exploitation. These are documentation strings, not tool calls
      the agent is instructed to make. The skill itself declares
      allowed-tools: Read, Grep, Glob, Bash, Task and is read-only by design.
      Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
      )
    • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, shell, exec,
      Eval, Pay in "Payload", checkout) inside a skill that documents how
      to spot CI exploitation. These are documentation strings, not tool calls
      the agent is instructed to make. The skill itself declares
      allowed-tools: Read, Grep, Glob, Bash, Task and is read-only by design.
      Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
      )
    • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, shell, exec,
      Eval, Pay in "Payload", checkout) inside a skill that documents how
      to spot CI exploitation. These are documentation strings, not tool calls
      the agent is instructed to make. The skill itself declares
      allowed-tools: Read, Grep, Glob, Bash, Task and is read-only by design.
      Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
      )
    • ATR_MCP_MALICIOUS_RESPONSE (Allowed: False positive - this skill's purpose is to TEACH a reviewer how to find
      GitHub Actions exploits. Its SKILL.md necessarily contains the attack
      patterns it's looking for: pull_request_target, issue_comment with
      command parsing, ${{ }} in run: blocks, permissions: misconfig,
      run: step exec, etc. ATR_MCP_MALICIOUS_RESPONSE matches these in the
      skill's instructional/reference text. None of these are commands the
      agent is being told to run — they are descriptions of vulnerabilities to
      identify. Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
      )
    • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, shell, exec,
      Eval, Pay in "Payload", checkout) inside a skill that documents how
      to spot CI exploitation. These are documentation strings, not tool calls
      the agent is instructed to make. The skill itself declares
      allowed-tools: Read, Grep, Glob, Bash, Task and is read-only by design.
      Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
      )
    • ATR_MCP_MALICIOUS_RESPONSE (Allowed: False positive - this skill's purpose is to TEACH a reviewer how to find
      GitHub Actions exploits. Its SKILL.md necessarily contains the attack
      patterns it's looking for: pull_request_target, issue_comment with
      command parsing, ${{ }} in run: blocks, permissions: misconfig,
      run: step exec, etc. ATR_MCP_MALICIOUS_RESPONSE matches these in the
      skill's instructional/reference text. None of these are commands the
      agent is being told to run — they are descriptions of vulnerabilities to
      identify. Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
      )
    • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, shell, exec,
      Eval, Pay in "Payload", checkout) inside a skill that documents how
      to spot CI exploitation. These are documentation strings, not tool calls
      the agent is instructed to make. The skill itself declares
      allowed-tools: Read, Grep, Glob, Bash, Task and is read-only by design.
      Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
      )
    • ATR_MCP_MALICIOUS_RESPONSE (Allowed: False positive - this skill's purpose is to TEACH a reviewer how to find
      GitHub Actions exploits. Its SKILL.md necessarily contains the attack
      patterns it's looking for: pull_request_target, issue_comment with
      command parsing, ${{ }} in run: blocks, permissions: misconfig,
      run: step exec, etc. ATR_MCP_MALICIOUS_RESPONSE matches these in the
      skill's instructional/reference text. None of these are commands the
      agent is being told to run — they are descriptions of vulnerabilities to
      identify. Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
      )
    • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, shell, exec,
      Eval, Pay in "Payload", checkout) inside a skill that documents how
      to spot CI exploitation. These are documentation strings, not tool calls
      the agent is instructed to make. The skill itself declares
      allowed-tools: Read, Grep, Glob, Bash, Task and is read-only by design.
      Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
      )
    • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, shell, exec,
      Eval, Pay in "Payload", checkout) inside a skill that documents how
      to spot CI exploitation. These are documentation strings, not tool calls
      the agent is instructed to make. The skill itself declares
      allowed-tools: Read, Grep, Glob, Bash, Task and is read-only by design.
      Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
      )
    • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, shell, exec,
      Eval, Pay in "Payload", checkout) inside a skill that documents how
      to spot CI exploitation. These are documentation strings, not tool calls
      the agent is instructed to make. The skill itself declares
      allowed-tools: Read, Grep, Glob, Bash, Task and is read-only by design.
      Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
      )
    • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, shell, exec,
      Eval, Pay in "Payload", checkout) inside a skill that documents how
      to spot CI exploitation. These are documentation strings, not tool calls
      the agent is instructed to make. The skill itself declares
      allowed-tools: Read, Grep, Glob, Bash, Task and is read-only by design.
      Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
      )

✅ iterate-pr

  • Status: Passed
  • Findings: 7
  • Allowed (not blocking): 2
    • MANIFEST_MISSING_LICENSE (Allowed: getsentry/skills is licensed Apache-2.0 at the repository root; upstream does not embed an SPDX license identifier in per-skill SKILL.md frontmatter.)
    • RESOURCE_ABUSE_INFINITE_LOOP (Allowed: The scripts/monitor_pr_checks.py helper polls PR check status in a while True: loop with bounded retries and sleep — legitimate for waiting until CI reaches a terminal state. The script has a timeout and exit conditions.)

✅ pr-writer

  • Status: Passed
  • Findings: 4
  • Allowed (not blocking): 1
    • MANIFEST_MISSING_LICENSE (Allowed: getsentry/skills is licensed Apache-2.0 at the repository root; upstream does not embed an SPDX license identifier in per-skill SKILL.md frontmatter.)

✅ prompt-optimizer

  • Status: Passed
  • Findings: 3
  • Allowed (not blocking): 1
    • MANIFEST_MISSING_LICENSE (Allowed: getsentry/skills is licensed Apache-2.0 at the repository root; upstream does not embed an SPDX license identifier in per-skill SKILL.md frontmatter.)

✅ security-review

  • Status: Passed
  • Findings: 4

✅ skill-scanner

  • Status: Passed
  • Findings: 1
  • Allowed (not blocking): 1
    • YARA_prompt_injection_unicode_steganography (Allowed: The skill documents invisible Unicode steganography (\U000e0001 tag characters) as a prompt-injection vector. Describing the attack class is required for the skill to teach detection of it.)

✅ skill-writer

  • Status: Passed
  • Findings: 124
  • Allowed (not blocking): 120
    • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, Exec, exec,
      format) inside references/workflow-patterns.md, where these appear in
      documentation about workflow patterns ("kill switch", "execution model",
      "format pattern"). They are not tool invocations. Verified at digest
      5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
      )
    • ATR_MCP_MALICIOUS_RESPONSE (Allowed: False positive - matches on the literal word "references" / "reference"
      in references/workflow-patterns.md, which is the skill's own pointer
      list to its bundled reference docs (the standard skill-writer reference
      architecture). The pattern is not an MCP tool response; it's static
      skill instruction text. Verified at digest
      5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
      )
    • ATR_MCP_MALICIOUS_RESPONSE (Allowed: False positive - matches on the literal word "references" / "reference"
      in references/workflow-patterns.md, which is the skill's own pointer
      list to its bundled reference docs (the standard skill-writer reference
      architecture). The pattern is not an MCP tool response; it's static
      skill instruction text. Verified at digest
      5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
      )
    • ATR_MCP_MALICIOUS_RESPONSE (Allowed: False positive - matches on the literal word "references" / "reference"
      in references/workflow-patterns.md, which is the skill's own pointer
      list to its bundled reference docs (the standard skill-writer reference
      architecture). The pattern is not an MCP tool response; it's static
      skill instruction text. Verified at digest
      5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
      )
    • ATR_MCP_MALICIOUS_RESPONSE (Allowed: False positive - matches on the literal word "references" / "reference"
      in references/workflow-patterns.md, which is the skill's own pointer
      list to its bundled reference docs (the standard skill-writer reference
      architecture). The pattern is not an MCP tool response; it's static
      skill instruction text. Verified at digest
      5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
      )
    • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, Exec, exec,
      format) inside references/workflow-patterns.md, where these appear in
      documentation about workflow patterns ("kill switch", "execution model",
      "format pattern"). They are not tool invocations. Verified at digest
      5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
      )
    • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, Exec, exec,
      format) inside references/workflow-patterns.md, where these appear in
      documentation about workflow patterns ("kill switch", "execution model",
      "format pattern"). They are not tool invocations. Verified at digest
      5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
      )
    • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, Exec, exec,
      format) inside references/workflow-patterns.md, where these appear in
      documentation about workflow patterns ("kill switch", "execution model",
      "format pattern"). They are not tool invocations. Verified at digest
      5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
      )
    • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, Exec, exec,
      format) inside references/workflow-patterns.md, where these appear in
      documentation about workflow patterns ("kill switch", "execution model",
      "format pattern"). They are not tool invocations. Verified at digest
      5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
      )
    • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, Exec, exec,
      format) inside references/workflow-patterns.md, where these appear in
      documentation about workflow patterns ("kill switch", "execution model",
      "format pattern"). They are not tool invocations. Verified at digest
      5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
      )
    • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, Exec, exec,
      format) inside references/workflow-patterns.md, where these appear in
      documentation about workflow patterns ("kill switch", "execution model",
      "format pattern"). They are not tool invocations. Verified at digest
      5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
      )
    • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, Exec, exec,
      format) inside references/workflow-patterns.md, where these appear in
      documentation about workflow patterns ("kill switch", "execution model",
      "format pattern"). They are not tool invocations. Verified at digest
      5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
      )
    • ATR_MCP_MALICIOUS_RESPONSE (Allowed: False positive - matches on the literal word "references" / "reference"
      in references/workflow-patterns.md, which is the skill's own pointer
      list to its bundled reference docs (the standard skill-writer reference
      architecture). The pattern is not an MCP tool response; it's static
      skill instruction text. Verified at digest
      5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
      )
    • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, Exec, exec,
      format) inside references/workflow-patterns.md, where these appear in
      documentation about workflow patterns ("kill switch", "execution model",
      "format pattern"). They are not tool invocations. Verified at digest
      5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
      )
    • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, Exec, exec,
      format) inside references/workflow-patterns.md, where these appear in
      documentation about workflow patterns ("kill switch", "execution model",
      "format pattern"). They are not tool invocations. Verified at digest
      5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
      )
    • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, Exec, exec,
      format) inside references/workflow-patterns.md, where these appear in
      documentation about workflow patterns ("kill switch", "execution model",
      "format pattern"). They are not tool invocations. Verified at digest
      5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
      )
    • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, Exec, exec,
      format) inside references/workflow-patterns.md, where these appear in
      documentation about workflow patterns ("kill switch", "execution model",
      "format pattern"). They are not tool invocations. Verified at digest
      5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
      )
    • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, Exec, exec,
      format) inside references/workflow-patterns.md, where these appear in
      documentation about workflow patterns ("kill switch", "execution model",
      "format pattern"). They are not tool invocations. Verified at digest
      5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
      )
    • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, Exec, exec,
      format) inside references/workflow-patterns.md, where these appear in
      documentation about workflow patterns ("kill switch", "execution model",
      "format pattern"). They are not tool invocations. Verified at digest
      5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
      )
    • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, Exec, exec,
      format) inside references/workflow-patterns.md, where these appear in
      documentation about workflow patterns ("kill switch", "execution model",
      "format pattern"). They are not tool invocations. Verified at digest
      5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
      )
    • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, Exec, exec,
      format) inside references/workflow-patterns.md, where these appear in
      documentation about workflow patterns ("kill switch", "execution model",
      "format pattern"). They are not tool invocations. Verified at digest
      5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
      )
    • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, Exec, exec,
      format) inside references/workflow-patterns.md, where these appear in
      documentation about workflow patterns ("kill switch", "execution model",
      "format pattern"). They are not tool invocations. Verified at digest
      5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
      )
    • ATR_MCP_MALICIOUS_RESPONSE (Allowed: False positive - matches on the literal word "references" / "reference"
      in references/workflow-patterns.md, which is the skill's own pointer
      list to its bundled reference docs (the standard skill-writer reference
      architecture). The pattern is not an MCP tool response; it's static
      skill instruction text. Verified at digest
      5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
      )
    • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, Exec, exec,
      format) inside references/workflow-patterns.md, where these appear in
      documentation about workflow patterns ("kill switch", "execution model",
      "format pattern"). They are not tool invocations. Verified at digest
      5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
      )
    • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, Exec, exec,
      format) inside references/workflow-patterns.md, where these appear in
      documentation about workflow patterns ("kill switch", "execution model",
      "format pattern"). They are not tool invocations. Verified at digest
      5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
      )
    • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, Exec, exec,
      format) inside references/workflow-patterns.md, where these appear in
      documentation about workflow patterns ("kill switch", "execution model",
      "format pattern"). They are not tool invocations. Verified at digest
      5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
      )
    • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, Exec, exec,
      format) inside references/workflow-patterns.md, where these appear in
      documentation about workflow patterns ("kill switch", "execution model",
      "format pattern"). They are not tool invocations. Verified at digest
      5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
      )
    • ATR_MCP_MALICIOUS_RESPONSE (Allowed: False positive - matches on the literal word "references" / "reference"
      in references/workflow-patterns.md, which is the skill's own pointer
      list to its bundled reference docs (the standard skill-writer reference
      architecture). The pattern is not an MCP tool response; it's static
      skill instruction text. Verified at digest
      5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
      )
    • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, Exec, exec,
      format) inside references/workflow-patterns.md, where these appear in
      documentation about workflow patterns ("kill switch", "execution model",
      "format pattern"). They are not tool invocations. Verified at digest
      5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
      )
    • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, Exec, exec,
      format) inside references/workflow-patterns.md, where these appear in
      documentation about workflow patterns ("kill switch", "execution model",
      "format pattern"). They are not tool invocations. Verified at digest
      5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
      )
    • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, Exec, exec,
      format) inside references/workflow-patterns.md, where these appear in
      documentation about workflow patterns ("kill switch", "execution model",
      "format pattern"). They are not tool invocations. Verified at digest
      5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
      )
    • ATR_MCP_MALICIOUS_RESPONSE (Allowed: False positive - matches on the literal word "references" / "reference"
      in references/workflow-patterns.md, which is the skill's own pointer
      list to its bundled reference docs (the standard skill-writer reference
      architecture). The pattern is not an MCP tool response; it's static
      skill instruction text. Verified at digest
      5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
      )
    • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, Exec, exec,
      format) inside references/workflow-patterns.md, where these appear in
      documentation about workflow patterns ("kill switch", "execution model",
      "format pattern"). They are not tool invocations. Verified at digest
      5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
      )
    • ATR_MCP_MALICIOUS_RESPONSE (Allowed: False positive - matches on the literal word "references" / "reference"
      in references/workflow-patterns.md, which is the skill's own pointer
      list to its bundled reference docs (the standard skill-writer reference
      architecture). The pattern is not an MCP tool response; it's static
      skill instruction text. Verified at digest
      5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
      )
    • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, Exec, exec,
      format) inside references/workflow-patterns.md, where these appear in
      documentation about workflow patterns ("kill switch", "execution model",
      "format pattern"). They are not tool invocations. Verified at digest
      5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
      )
    • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, Exec, exec,
      format) inside references/workflow-patterns.md, where these appear in
      documentation about workflow patterns ("kill switch", "execution model",
      "format pattern"). They are not tool invocations. Verified at digest
      5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
      )
    • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, Exec, exec,
      format) inside references/workflow-patterns.md, where these appear in
      documentation about workflow patterns ("kill switch", "execution model",
      "format pattern"). They are not tool invocations. Verified at digest
      5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
      )
    • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, Exec, exec,
      format) inside references/workflow-patterns.md, where these appear in
      documentation about workflow patterns ("kill switch", "execution model",
      "format pattern"). They are not tool invocations. Verified at digest
      5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
      )
    • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, Exec, exec,
      format) inside references/workflow-patterns.md, where these appear in
      documentation about workflow patterns ("kill switch", "execution model",
      "format pattern"). They are not tool invocations. Verified at digest
      5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
      )
    • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, Exec, exec,
      format) inside references/workflow-patterns.md, where these appear in
      documentation about workflow patterns ("kill switch", "execution model",
      "format pattern"). They are not tool invocations. Verified at digest
      5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
      )
    • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, Exec, exec,
      format) inside references/workflow-patterns.md, where these appear in
      documentation about workflow patterns ("kill switch", "execution model",
      "format pattern"). They are not tool invocations. Verified at digest
      5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
      )
    • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, Exec, exec,
      format) inside references/workflow-patterns.md, where these appear in
      documentation about workflow patterns ("kill switch", "execution model",
      "format pattern"). They are not tool invocations. Verified at digest
      5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
      )
    • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, Exec, exec,
      format) inside references/workflow-patterns.md, where these appear in
      documentation about workflow patterns ("kill switch", "execution model",
      "format pattern"). They are not tool invocations. Verified at digest
      5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
      )
    • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, Exec, exec,
      format) inside references/workflow-patterns.md, where these appear in
      documentation about workflow patterns ("kill switch", "execution model",
      "format pattern"). They are not tool invocations. Verified at digest
      5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
      )
    • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, Exec, exec,
      format) inside references/workflow-patterns.md, where these appear in
      documentation about workflow patterns ("kill switch", "execution model",
      "format pattern"). They are not tool invocations. Verified at digest
      5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
      )
    • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, Exec, exec,
      format) inside references/workflow-patterns.md, where these appear in
      documentation about workflow patterns ("kill switch", "execution model",
      "format pattern"). They are not tool invocations. Verified at digest
      5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
      )
    • ATR_MCP_MALICIOUS_RESPONSE (Allowed: False positive - matches on the literal word "references" / "reference"
      in references/workflow-patterns.md, which is the skill's own pointer
      list to its bundled reference docs (the standard skill-writer reference
      architecture). The pattern is not an MCP tool response; it's static
      skill instruction text. Verified at digest
      5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
      )
    • ATR_MCP_MALICIOUS_RESPONSE (Allowed: False positive - matches on the literal word "references" / "reference"
      in references/workflow-patterns.md, which is the skill's own pointer
      list to its bundled reference docs (the standard skill-writer reference
      architecture). The pattern is not an MCP tool response; it's static
      skill instruction text. Verified at digest
      5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
      )
    • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, Exec, exec,
      format) inside references/workflow-patterns.md, where these appear in
      documentation about workflow patterns ("kill switch", "execution model",
      "format pattern"). They are not tool invocations. Verified at digest
      5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
      )
    • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, Exec, exec,
      format) inside references/workflow-patterns.md, where these appear in
      documentation about workflow patterns ("kill switch", "execution model",
      "format pattern"). They are not tool invocations. Verified at digest
      5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
      )
    • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, Exec, exec,
      format) inside references/workflow-patterns.md, where these appear in
      documentation about workflow patterns ("kill switch", "execution model",
      "format pattern"). They are not tool invocations. Verified at digest
      5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
      )
    • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, Exec, exec,
      format) inside references/workflow-patterns.md, where these appear in
      documentation about workflow patterns ("kill switch", "execution model",
      "format pattern"). They are not tool invocations. Verified at digest
      5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
      )
    • ATR_MCP_MALICIOUS_RESPONSE (Allowed: False positive - matches on the literal word "references" / "reference"
      in references/workflow-patterns.md, which is the skill's own pointer
      list to its bundled reference docs (the standard skill-writer reference
      architecture). The pattern is not an MCP tool response; it's static
      skill instruction text. Verified at digest
      5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
      )
    • ATR_MCP_MALICIOUS_RESPONSE (Allowed: False positive - matches on the literal word "references" / "reference"
      in references/workflow-patterns.md, which is the skill's own pointer
      list to its bundled reference docs (the standard skill-writer reference
      architecture). The pattern is not an MCP tool response; it's static
      skill instruction text. Verified at digest
      5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
      )
    • ATR_MCP_MALICIOUS_RESPONSE (Allowed: False positive - matches on the literal word "references" / "reference"
      in references/workflow-patterns.md, which is the skill's own pointer
      list to its bundled reference docs (the standard skill-writer reference
      architecture). The pattern is not an MCP tool response; it's static
      skill instruction text. Verified at digest
      5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
      )
    • ATR_MCP_MALICIOUS_RESPONSE (Allowed: False positive - matches on the literal word "references" / "reference"
      in references/workflow-patterns.md, which is the skill's own pointer
      list to its bundled reference docs (the standard skill-writer reference
      architecture). The pattern is not an MCP tool response; it's static
      skill instruction text. Verified at digest
      5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
      )
    • ATR_MCP_MALICIOUS_RESPONSE (Allowed: False positive - matches on the literal word "references" / "reference"
      in references/workflow-patterns.md, which is the skill's own pointer
      list to its bundled reference docs (the standard skill-writer reference
      architecture). The pattern is not an MCP tool response; it's static
      skill instruction text. Verified at digest
      5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
      )
    • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, Exec, exec,
      format) inside references/workflow-patterns.md, where these appear in
      documentation about workflow patterns ("kill switch", "execution model",
      "format pattern"). They are not tool invocations. Verified at digest
      5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
      )
    • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, Exec, exec,
      format) inside references/workflow-patterns.md, where these appear in
      documentation about workflow patterns ("kill switch", "execution model",
      "format pattern"). They are not tool invocations. Verified at digest
      5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
      )
    • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, Exec, exec,
      format) inside references/workflow-patterns.md, where these appear in
      documentation about workflow patterns ("kill switch", "execution model",
      "format pattern"). They are not tool invocations. Verified at digest
      5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
      )
    • ATR_MCP_MALICIOUS_RESPONSE (Allowed: False positive - matches on the literal word "references" / "reference"
      in references/workflow-patterns.md, which is the skill's own pointer
      list to its bundled reference docs (the standard skill-writer reference
      architecture). The pattern is not an MCP tool response; it's static
      skill instruction text. Verified at digest
      5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
      )
    • ATR_MCP_MALICIOUS_RESPONSE (Allowed: False positive - matches on the literal word "references" / "reference"
      in references/workflow-patterns.md, which is the skill's own pointer
      list to its bundled reference docs (the standard skill-writer reference
      architecture). The pattern is not an MCP tool response; it's static
      skill instruction text. Verified at digest
      5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
      )
    • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, Exec, exec,
      format) inside references/workflow-patterns.md, where these appear in
      documentation about workflow patterns ("kill switch", "execution model",
      "format pattern"). They are not tool invocations. Verified at digest
      5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
      )
    • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, Exec, exec,
      format) inside references/workflow-patterns.md, where these appear in
      documentation about workflow patterns ("kill switch", "execution model",
      "format pattern"). They are not tool invocations. Verified at digest
      5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
      )
    • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, Exec, exec,
      format) inside references/workflow-patterns.md, where these appear in
      documentation about workflow patterns ("kill switch", "execution model",
      "format pattern"). They are not tool invocations. Verified at digest
      5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
      )
    • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, Exec, exec,
      format) inside references/workflow-patterns.md, where these appear in
      documentation about workflow patterns ("kill switch", "execution model",
      "format pattern"). They are not tool invocations. Verified at digest
      5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
      )
    • ATR_MCP_MALICIOUS_RESPONSE (Allowed: False positive - matches on the literal word "references" / "reference"
      in references/workflow-patterns.md, which is the skill's own pointer
      list to its bundled reference docs (the standard skill-writer reference
      architecture). The pattern is not an MCP tool response; it's static
      skill instruction text. Verified at digest
      5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
      )
    • ATR_MCP_MALICIOUS_RESPONSE (Allowed: False positive - matches on the literal word "references" / "reference"
      in references/workflow-patterns.md, which is the skill's own pointer
      list to its bundled reference docs (the standard skill-writer reference
      architecture). The pattern is not an MCP tool response; it's static
      skill instruction text. Verified at digest
      5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
      )
    • ATR_MCP_MALICIOUS_RESPONSE (Allowed: False positive - matches on the literal word "references" / "reference"
      in references/workflow-patterns.md, which is the skill's own pointer
      list to its bundled reference docs (the standard skill-writer reference
      architecture). The pattern is not an MCP tool response; it's static
      skill instruction text. Verified at digest
      5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
      )
    • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, Exec, exec,
      format) inside references/workflow-patterns.md, where these appear in
      documentation about workflow patterns ("kill switch", "execution model",
      "format pattern"). They are not tool invocations. Verified at digest
      5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
      )
    • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, Exec, exec,
      format) inside references/workflow-patterns.md, where these appear in
      documentation about workflow patterns ("kill switch", "execution model",
      "format pattern"). They are not tool invocations. Verified at digest
      5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
      )
    • ATR_MCP_MALICIOUS_RESPONSE (Allowed: False positive - matches on the literal word "references" / "reference"
      in references/workflow-patterns.md, which is the skill's own pointer
      list to its bundled reference docs (the standard skill-writer reference
      architecture). The pattern is not an MCP tool response; it's static
      skill instruction text. Verified at digest
      5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
      )
    • ATR_MCP_MALICIOUS_RESPONSE (Allowed: False positive - matches on the literal word "references" / "reference"
      in references/workflow-patterns.md, which is the skill's own pointer
      list to its bundled reference docs (the standard skill-writer reference
      architecture). The pattern is not an MCP tool response; it's static
      skill instruction text. Verified at digest
      5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
      )
    • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, Exec, exec,
      format) inside references/workflow-patterns.md, where these appear in
      documentation about workflow patterns ("kill switch", "execution model",
      "format pattern"). They are not tool invocations. Verified at digest
      5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
      )
    • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, Exec, exec,
      format) inside references/workflow-patterns.md, where these appear in
      documentation about workflow patterns ("kill switch", "execution model",
      "format pattern"). They are not tool invocations. Verified at digest
      5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
      )
    • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, Exec, exec,
      format) inside references/workflow-patterns.md, where these appear in
      documentation about workflow patterns ("kill switch", "execution model",
      "format pattern"). They are not tool invocations. Verified at digest
      5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
      )
    • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, Exec, exec,
      format) inside references/workflow-patterns.md, where these appear in
      documentation about workflow patterns ("kill switch", "execution model",
      "format pattern"). They are not tool invocations. Verified at digest
      5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
      )
    • ATR_MCP_MALICIOUS_RESPONSE (Allowed: False positive - matches on the literal word "references" / "reference"
      in references/workflow-patterns.md, which is the skill's own pointer
      list to its bundled reference docs (the standard skill-writer reference
      architecture). The pattern is not an MCP tool response; it's static
      skill instruction text. Verified at digest
      5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
      )
    • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, Exec, exec,
      format) inside references/workflow-patterns.md, where these appear in
      documentation about workflow patterns ("kill switch", "execution model",
      "format pattern"). They are not tool invocations. Verified at digest
      5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
      )
    • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, Exec, exec,
      format) inside references/workflow-patterns.md, where these appear in
      documentation about workflow patterns ("kill switch", "execution model",
      "format pattern"). They are not tool invocations. Verified at digest
      5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
      )
    • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, Exec, exec,
      format) inside references/workflow-patterns.md, where these appear in
      documentation about workflow patterns ("kill switch", "execution model",
      "format pattern"). They are not tool invocations. Verified at digest
      5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
      )
    • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, Exec, exec,
      format) inside references/workflow-patterns.md, where these appear in
      documentation about workflow patterns ("kill switch", "execution model",
      "format pattern"). They are not tool invocations. Verified at digest
      5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
      )
    • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, Exec, exec,
      format) inside references/workflow-patterns.md, where these appear in
      documentation about workflow patterns ("kill switch", "execution model",
      "format pattern"). They are not tool invocations. Verified at digest
      5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
      )
    • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, Exec, exec,
      format) inside references/workflow-patterns.md, where these appear in
      documentation about workflow patterns ("kill switch", "execution model",
      "format pattern"). They are not tool invocations. Verified at digest
      5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
      )
    • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, Exec, exec,
      format) inside references/workflow-patterns.md, where these appear in
      documentation about workflow patterns ("kill switch", "execution model",
      "format pattern"). They are not tool invocations. Verified at digest
      5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
      )
    • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, Exec, exec,
      format) inside references/workflow-patterns.md, where these appear in
      documentation about workflow patterns ("kill switch", "execution model",
      "format pattern"). They are not tool invocations. Verified at digest
      5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
      )
    • ATR_MCP_MALICIOUS_RESPONSE (Allowed: False positive - matches on the literal word "references" / "reference"
      in references/workflow-patterns.md, which is the skill's own pointer
      list to its bundled reference docs (the standard skill-writer reference
      architecture). The pattern is not an MCP tool response; it's static
      skill instruction text. Verified at digest
      5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
      )
    • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, Exec, exec,
      format) inside references/workflow-patterns.md, where these appear in
      documentation about workflow patterns ("kill switch", "execution model",
      "format pattern"). They are not tool invocations. Verified at digest
      5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
      )
    • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, Exec, exec,
      format) inside references/workflow-patterns.md, where these appear in
      documentation about workflow patterns ("kill switch", "execution model",
      "format pattern"). They are not tool invocations. Verified at digest
      5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
      )
    • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, Exec, exec,
      format) inside references/workflow-patterns.md, where these appear in
      documentation about workflow patterns ("kill switch", "execution model",
      "format pattern"). They are not tool invocations. Verified at digest
      5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
      )
    • ATR_MCP_MALICIOUS_RESPONSE (Allowed: False positive - matches on the literal word "references" / "reference"
      in references/workflow-patterns.md, which is the skill's own pointer
      list to its bundled reference docs (the standard skill-writer reference
      architecture). The pattern is not an MCP tool response; it's static
      skill instruction text. Verified at digest
      5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
      )
    • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, Exec, exec,
      format) inside references/workflow-patterns.md, where these appear in
      documentation about workflow patterns ("kill switch", "execution model",
      "format pattern"). They are not tool invocations. Verified at digest
      5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
      )
    • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, Exec, exec,
      format) inside references/workflow-patterns.md, where these appear in
      documentation about workflow patterns ("kill switch", "execution model",
      "format pattern"). They are not tool invocations. Verified at digest
      5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
      )
    • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, Exec, exec,
      format) inside references/workflow-patterns.md, where these appear in
      documentation about workflow patterns ("kill switch", "execution model",
      "format pattern"). They are not tool invocations. Verified at digest
      5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
      )
    • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, Exec, exec,
      format) inside references/workflow-patterns.md, where these appear in
      documentation about workflow patterns ("kill switch", "execution model",
      "format pattern"). They are not tool invocations. Verified at digest
      5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
      )
    • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, Exec, exec,
      format) inside references/workflow-patterns.md, where these appear in
      documentation about workflow patterns ("kill switch", "execution model",
      "format pattern"). They are not tool invocations. Verified at digest
      5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
      )
    • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, Exec, exec,
      format) inside references/workflow-patterns.md, where these appear in
      documentation about workflow patterns ("kill switch", "execution model",
      "format pattern"). They are not tool invocations. Verified at digest
      5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
      )
    • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, Exec, exec,
      format) inside references/workflow-patterns.md, where these appear in
      documentation about workflow patterns ("kill switch", "execution model",
      "format pattern"). They are not tool invocations. Verified at digest
      5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
      )
    • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, Exec, exec,
      format) inside references/workflow-patterns.md, where these appear in
      documentation about workflow patterns ("kill switch", "execution model",
      "format pattern"). They are not tool invocations. Verified at digest
      5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
      )
    • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, Exec, exec,
      format) inside references/workflow-patterns.md, where these appear in
      documentation about workflow patterns ("kill switch", "execution model",
      "format pattern"). They are not tool invocations. Verified at digest
      5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
      )
    • ATR_MCP_MALICIOUS_RESPONSE (Allowed: False positive - matches on the literal word "references" / "reference"
      in references/workflow-patterns.md, which is the skill's own pointer
      list to its bundled reference docs (the standard skill-writer reference
      architecture). The pattern is not an MCP tool response; it's static
      skill instruction text. Verified at digest
      5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
      )
    • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, Exec, exec,
      format) inside references/workflow-patterns.md, where these appear in
      documentation about workflow patterns ("kill switch", "execution model",
      "format pattern"). They are not tool invocations. Verified at digest
      5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
      )
    • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, Exec, exec,
      format) inside references/workflow-patterns.md, where these appear in
      documentation about workflow patterns ("kill switch", "execution model",
      "format pattern"). They are not tool invocations. Verified at digest
      5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
      )
    • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, Exec, exec,
      format) inside references/workflow-patterns.md, where these appear in
      documentation about workflow patterns ("kill switch", "execution model",
      "format pattern"). They are not tool invocations. Verified at digest
      5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
      )
    • ATR_MCP_MALICIOUS_RESPONSE (Allowed: False positive - matches on the literal word "references" / "reference"
      in references/workflow-patterns.md, which is the skill's own pointer
      list to its bundled reference docs (the standard skill-writer reference
      architecture). The pattern is not an MCP tool response; it's static
      skill instruction text. Verified at digest
      5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
      )
    • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, Exec, exec,
      format) inside references/workflow-patterns.md, where these appear in
      documentation about workflow patterns ("kill switch", "execution model",
      "format pattern"). They are not tool invocations. Verified at digest
      5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
      )
    • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, Exec, exec,
      format) inside references/workflow-patterns.md, where these appear in
      documentation about workflow patterns ("kill switch", "execution model",
      "format pattern"). They are not tool invocations. Verified at digest
      5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
      )
    • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, Exec, exec,
      format) inside references/workflow-patterns.md, where these appear in
      documentation about workflow patterns ("kill switch", "execution model",
      "format pattern"). They are not tool invocations. Verified at digest
      5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
      )
    • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, Exec, exec,
      format) inside references/workflow-patterns.md, where these appear in
      documentation about workflow patterns ("kill switch", "execution model",
      "format pattern"). They are not tool invocations. Verified at digest
      5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
      )
    • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, Exec, exec,
      format) inside references/workflow-patterns.md, where these appear in
      documentation about workflow patterns ("kill switch", "execution model",
      "format pattern"). They are not tool invocations. Verified at digest
      5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
      )
    • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, Exec, exec,
      format) inside references/workflow-patterns.md, where these appear in
      documentation about workflow patterns ("kill switch", "execution model",
      "format pattern"). They are not tool invocations. Verified at digest
      5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
      )
    • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, Exec, exec,
      format) inside references/workflow-patterns.md, where these appear in
      documentation about workflow patterns ("kill switch", "execution model",
      "format pattern"). They are not tool invocations. Verified at digest
      5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
      )
    • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, Exec, exec,
      format) inside references/workflow-patterns.md, where these appear in
      documentation about workflow patterns ("kill switch", "execution model",
      "format pattern"). They are not tool invocations. Verified at digest
      5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
      )
    • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, Exec, exec,
      format) inside references/workflow-patterns.md, where these appear in
      documentation about workflow patterns ("kill switch", "execution model",
      "format pattern"). They are not tool invocations. Verified at digest
      5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
      )
    • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, Exec, exec,
      format) inside references/workflow-patterns.md, where these appear in
      documentation about workflow patterns ("kill switch", "execution model",
      "format pattern"). They are not tool invocations. Verified at digest
      5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
      )
    • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, Exec, exec,
      format) inside references/workflow-patterns.md, where these appear in
      documentation about workflow patterns ("kill switch", "execution model",
      "format pattern"). They are not tool invocations. Verified at digest
      5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
      )
    • ATR_MCP_MALICIOUS_RESPONSE (Allowed: False positive - matches on the literal word "references" / "reference"
      in references/workflow-patterns.md, which is the skill's own pointer
      list to its bundled reference docs (the standard skill-writer reference
      architecture). The pattern is not an MCP tool response; it's static
      skill instruction text. Verified at digest
      5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
      )
    • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, Exec, exec,
      format) inside references/workflow-patterns.md, where these appear in
      documentation about workflow patterns ("kill switch", "execution model",
      "format pattern"). They are not tool invocations. Verified at digest
      5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
      )
    • ATR_MCP_MALICIOUS_RESPONSE (Allowed: False positive - matches on the literal word "references" / "reference"
      in references/workflow-patterns.md, which is the skill's own pointer
      list to its bundled reference docs (the standard skill-writer reference
      architecture). The pattern is not an MCP tool response; it's static
      skill instruction text. Verified at digest
      5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
      )
    • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, Exec, exec,
      format) inside references/workflow-patterns.md, where these appear in
      documentation about workflow patterns ("kill switch", "execution model",
      "format pattern"). They are not tool invocations. Verified at digest
      5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
      )

Summary: Scanned 18 skill(s), all passed security checks. ✅

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants