chore(deps): update getsentry/skills digest to d7a020a

[renovate]

This PR contains the following updates:

Package	Update	Change
getsentry/skills	digest	f2cff98 → d7a020a

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

🛡️ Skill Security Scan Results

✅ agents-md

• Status: Passed
• Findings: 2
• Allowed (not blocking): 1
  • MANIFEST_MISSING_LICENSE (Allowed: getsentry/skills is licensed Apache-2.0 at the repository root; upstream does not embed an SPDX license identifier in per-skill SKILL.md frontmatter.)

✅ claude-settings-audit

• Status: Passed
• Findings: 5
• Allowed (not blocking): 1
  • MANIFEST_MISSING_LICENSE (Allowed: getsentry/skills is licensed Apache-2.0 at the repository root; upstream does not embed an SPDX license identifier in per-skill SKILL.md frontmatter.)

✅ code-review

• Status: Passed
• Findings: 2
• Allowed (not blocking): 1
  • MANIFEST_MISSING_LICENSE (Allowed: getsentry/skills is licensed Apache-2.0 at the repository root; upstream does not embed an SPDX license identifier in per-skill SKILL.md frontmatter.)

✅ code-simplifier

• Status: Passed
• Findings: 1
• Allowed (not blocking): 1
  • MANIFEST_MISSING_LICENSE (Allowed: getsentry/skills is licensed Apache-2.0 at the repository root; upstream does not embed an SPDX license identifier in per-skill SKILL.md frontmatter.)

✅ commit

• Status: Passed
• Findings: 4
• Allowed (not blocking): 1
  • MANIFEST_MISSING_LICENSE (Allowed: getsentry/skills is licensed Apache-2.0 at the repository root; upstream does not embed an SPDX license identifier in per-skill SKILL.md frontmatter.)

✅ create-branch

• Status: Passed
• Findings: 3

✅ django-access-review

• Status: Passed
• Findings: 3

✅ django-perf-review

• Status: Passed
• Findings: 0

✅ doc-coauthoring

• Status: Passed
• Findings: 4
• Allowed (not blocking): 1
  • MANIFEST_MISSING_LICENSE (Allowed: getsentry/skills is licensed Apache-2.0 at the repository root; upstream does not embed an SPDX license identifier in per-skill SKILL.md frontmatter.)

✅ find-bugs

• Status: Passed
• Findings: 4
• Allowed (not blocking): 1
  • MANIFEST_MISSING_LICENSE (Allowed: getsentry/skills is licensed Apache-2.0 at the repository root; upstream does not embed an SPDX license identifier in per-skill SKILL.md frontmatter.)

✅ gh-review-requests

• Status: Passed
• Findings: 4
• Allowed (not blocking): 1
  • MANIFEST_MISSING_LICENSE (Allowed: getsentry/skills is licensed Apache-2.0 at the repository root; upstream does not embed an SPDX license identifier in per-skill SKILL.md frontmatter.)

✅ gha-security-review

• Status: Passed
• Findings: 259
• Allowed (not blocking): 254
  • MANIFEST_MISSING_LICENSE (Allowed: getsentry/skills is licensed Apache-2.0 at the repository root; upstream does not embed an SPDX license identifier in per-skill SKILL.md frontmatter.)
  • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, shell, exec,
    Eval, Pay in "Payload", checkout) inside a skill that documents how
    to spot CI exploitation. These are documentation strings, not tool calls
    the agent is instructed to make. The skill itself declares
    allowed-tools: Read, Grep, Glob, Bash, Task and is read-only by design.
    Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, shell, exec,
    Eval, Pay in "Payload", checkout) inside a skill that documents how
    to spot CI exploitation. These are documentation strings, not tool calls
    the agent is instructed to make. The skill itself declares
    allowed-tools: Read, Grep, Glob, Bash, Task and is read-only by design.
    Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_MCP_MALICIOUS_RESPONSE (Allowed: False positive - this skill's purpose is to TEACH a reviewer how to find
    GitHub Actions exploits. Its SKILL.md necessarily contains the attack
    patterns it's looking for: pull_request_target, issue_comment with
    command parsing, ${{ }} in run: blocks, permissions: misconfig,
    run: step exec, etc. ATR_MCP_MALICIOUS_RESPONSE matches these in the
    skill's instructional/reference text. None of these are commands the
    agent is being told to run — they are descriptions of vulnerabilities to
    identify. Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, shell, exec,
    Eval, Pay in "Payload", checkout) inside a skill that documents how
    to spot CI exploitation. These are documentation strings, not tool calls
    the agent is instructed to make. The skill itself declares
    allowed-tools: Read, Grep, Glob, Bash, Task and is read-only by design.
    Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, shell, exec,
    Eval, Pay in "Payload", checkout) inside a skill that documents how
    to spot CI exploitation. These are documentation strings, not tool calls
    the agent is instructed to make. The skill itself declares
    allowed-tools: Read, Grep, Glob, Bash, Task and is read-only by design.
    Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, shell, exec,
    Eval, Pay in "Payload", checkout) inside a skill that documents how
    to spot CI exploitation. These are documentation strings, not tool calls
    the agent is instructed to make. The skill itself declares
    allowed-tools: Read, Grep, Glob, Bash, Task and is read-only by design.
    Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_MCP_MALICIOUS_RESPONSE (Allowed: False positive - this skill's purpose is to TEACH a reviewer how to find
    GitHub Actions exploits. Its SKILL.md necessarily contains the attack
    patterns it's looking for: pull_request_target, issue_comment with
    command parsing, ${{ }} in run: blocks, permissions: misconfig,
    run: step exec, etc. ATR_MCP_MALICIOUS_RESPONSE matches these in the
    skill's instructional/reference text. None of these are commands the
    agent is being told to run — they are descriptions of vulnerabilities to
    identify. Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_MCP_MALICIOUS_RESPONSE (Allowed: False positive - this skill's purpose is to TEACH a reviewer how to find
    GitHub Actions exploits. Its SKILL.md necessarily contains the attack
    patterns it's looking for: pull_request_target, issue_comment with
    command parsing, ${{ }} in run: blocks, permissions: misconfig,
    run: step exec, etc. ATR_MCP_MALICIOUS_RESPONSE matches these in the
    skill's instructional/reference text. None of these are commands the
    agent is being told to run — they are descriptions of vulnerabilities to
    identify. Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_MCP_MALICIOUS_RESPONSE (Allowed: False positive - this skill's purpose is to TEACH a reviewer how to find
    GitHub Actions exploits. Its SKILL.md necessarily contains the attack
    patterns it's looking for: pull_request_target, issue_comment with
    command parsing, ${{ }} in run: blocks, permissions: misconfig,
    run: step exec, etc. ATR_MCP_MALICIOUS_RESPONSE matches these in the
    skill's instructional/reference text. None of these are commands the
    agent is being told to run — they are descriptions of vulnerabilities to
    identify. Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_MCP_MALICIOUS_RESPONSE (Allowed: False positive - this skill's purpose is to TEACH a reviewer how to find
    GitHub Actions exploits. Its SKILL.md necessarily contains the attack
    patterns it's looking for: pull_request_target, issue_comment with
    command parsing, ${{ }} in run: blocks, permissions: misconfig,
    run: step exec, etc. ATR_MCP_MALICIOUS_RESPONSE matches these in the
    skill's instructional/reference text. None of these are commands the
    agent is being told to run — they are descriptions of vulnerabilities to
    identify. Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_MCP_MALICIOUS_RESPONSE (Allowed: False positive - this skill's purpose is to TEACH a reviewer how to find
    GitHub Actions exploits. Its SKILL.md necessarily contains the attack
    patterns it's looking for: pull_request_target, issue_comment with
    command parsing, ${{ }} in run: blocks, permissions: misconfig,
    run: step exec, etc. ATR_MCP_MALICIOUS_RESPONSE matches these in the
    skill's instructional/reference text. None of these are commands the
    agent is being told to run — they are descriptions of vulnerabilities to
    identify. Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_MCP_MALICIOUS_RESPONSE (Allowed: False positive - this skill's purpose is to TEACH a reviewer how to find
    GitHub Actions exploits. Its SKILL.md necessarily contains the attack
    patterns it's looking for: pull_request_target, issue_comment with
    command parsing, ${{ }} in run: blocks, permissions: misconfig,
    run: step exec, etc. ATR_MCP_MALICIOUS_RESPONSE matches these in the
    skill's instructional/reference text. None of these are commands the
    agent is being told to run — they are descriptions of vulnerabilities to
    identify. Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_MCP_MALICIOUS_RESPONSE (Allowed: False positive - this skill's purpose is to TEACH a reviewer how to find
    GitHub Actions exploits. Its SKILL.md necessarily contains the attack
    patterns it's looking for: pull_request_target, issue_comment with
    command parsing, ${{ }} in run: blocks, permissions: misconfig,
    run: step exec, etc. ATR_MCP_MALICIOUS_RESPONSE matches these in the
    skill's instructional/reference text. None of these are commands the
    agent is being told to run — they are descriptions of vulnerabilities to
    identify. Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_MCP_MALICIOUS_RESPONSE (Allowed: False positive - this skill's purpose is to TEACH a reviewer how to find
    GitHub Actions exploits. Its SKILL.md necessarily contains the attack
    patterns it's looking for: pull_request_target, issue_comment with
    command parsing, ${{ }} in run: blocks, permissions: misconfig,
    run: step exec, etc. ATR_MCP_MALICIOUS_RESPONSE matches these in the
    skill's instructional/reference text. None of these are commands the
    agent is being told to run — they are descriptions of vulnerabilities to
    identify. Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_MCP_MALICIOUS_RESPONSE (Allowed: False positive - this skill's purpose is to TEACH a reviewer how to find
    GitHub Actions exploits. Its SKILL.md necessarily contains the attack
    patterns it's looking for: pull_request_target, issue_comment with
    command parsing, ${{ }} in run: blocks, permissions: misconfig,
    run: step exec, etc. ATR_MCP_MALICIOUS_RESPONSE matches these in the
    skill's instructional/reference text. None of these are commands the
    agent is being told to run — they are descriptions of vulnerabilities to
    identify. Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, shell, exec,
    Eval, Pay in "Payload", checkout) inside a skill that documents how
    to spot CI exploitation. These are documentation strings, not tool calls
    the agent is instructed to make. The skill itself declares
    allowed-tools: Read, Grep, Glob, Bash, Task and is read-only by design.
    Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_MCP_MALICIOUS_RESPONSE (Allowed: False positive - this skill's purpose is to TEACH a reviewer how to find
    GitHub Actions exploits. Its SKILL.md necessarily contains the attack
    patterns it's looking for: pull_request_target, issue_comment with
    command parsing, ${{ }} in run: blocks, permissions: misconfig,
    run: step exec, etc. ATR_MCP_MALICIOUS_RESPONSE matches these in the
    skill's instructional/reference text. None of these are commands the
    agent is being told to run — they are descriptions of vulnerabilities to
    identify. Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, shell, exec,
    Eval, Pay in "Payload", checkout) inside a skill that documents how
    to spot CI exploitation. These are documentation strings, not tool calls
    the agent is instructed to make. The skill itself declares
    allowed-tools: Read, Grep, Glob, Bash, Task and is read-only by design.
    Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_MCP_MALICIOUS_RESPONSE (Allowed: False positive - this skill's purpose is to TEACH a reviewer how to find
    GitHub Actions exploits. Its SKILL.md necessarily contains the attack
    patterns it's looking for: pull_request_target, issue_comment with
    command parsing, ${{ }} in run: blocks, permissions: misconfig,
    run: step exec, etc. ATR_MCP_MALICIOUS_RESPONSE matches these in the
    skill's instructional/reference text. None of these are commands the
    agent is being told to run — they are descriptions of vulnerabilities to
    identify. Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, shell, exec,
    Eval, Pay in "Payload", checkout) inside a skill that documents how
    to spot CI exploitation. These are documentation strings, not tool calls
    the agent is instructed to make. The skill itself declares
    allowed-tools: Read, Grep, Glob, Bash, Task and is read-only by design.
    Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_MCP_MALICIOUS_RESPONSE (Allowed: False positive - this skill's purpose is to TEACH a reviewer how to find
    GitHub Actions exploits. Its SKILL.md necessarily contains the attack
    patterns it's looking for: pull_request_target, issue_comment with
    command parsing, ${{ }} in run: blocks, permissions: misconfig,
    run: step exec, etc. ATR_MCP_MALICIOUS_RESPONSE matches these in the
    skill's instructional/reference text. None of these are commands the
    agent is being told to run — they are descriptions of vulnerabilities to
    identify. Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, shell, exec,
    Eval, Pay in "Payload", checkout) inside a skill that documents how
    to spot CI exploitation. These are documentation strings, not tool calls
    the agent is instructed to make. The skill itself declares
    allowed-tools: Read, Grep, Glob, Bash, Task and is read-only by design.
    Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_MCP_MALICIOUS_RESPONSE (Allowed: False positive - this skill's purpose is to TEACH a reviewer how to find
    GitHub Actions exploits. Its SKILL.md necessarily contains the attack
    patterns it's looking for: pull_request_target, issue_comment with
    command parsing, ${{ }} in run: blocks, permissions: misconfig,
    run: step exec, etc. ATR_MCP_MALICIOUS_RESPONSE matches these in the
    skill's instructional/reference text. None of these are commands the
    agent is being told to run — they are descriptions of vulnerabilities to
    identify. Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_MCP_MALICIOUS_RESPONSE (Allowed: False positive - this skill's purpose is to TEACH a reviewer how to find
    GitHub Actions exploits. Its SKILL.md necessarily contains the attack
    patterns it's looking for: pull_request_target, issue_comment with
    command parsing, ${{ }} in run: blocks, permissions: misconfig,
    run: step exec, etc. ATR_MCP_MALICIOUS_RESPONSE matches these in the
    skill's instructional/reference text. None of these are commands the
    agent is being told to run — they are descriptions of vulnerabilities to
    identify. Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_MCP_MALICIOUS_RESPONSE (Allowed: False positive - this skill's purpose is to TEACH a reviewer how to find
    GitHub Actions exploits. Its SKILL.md necessarily contains the attack
    patterns it's looking for: pull_request_target, issue_comment with
    command parsing, ${{ }} in run: blocks, permissions: misconfig,
    run: step exec, etc. ATR_MCP_MALICIOUS_RESPONSE matches these in the
    skill's instructional/reference text. None of these are commands the
    agent is being told to run — they are descriptions of vulnerabilities to
    identify. Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_MCP_MALICIOUS_RESPONSE (Allowed: False positive - this skill's purpose is to TEACH a reviewer how to find
    GitHub Actions exploits. Its SKILL.md necessarily contains the attack
    patterns it's looking for: pull_request_target, issue_comment with
    command parsing, ${{ }} in run: blocks, permissions: misconfig,
    run: step exec, etc. ATR_MCP_MALICIOUS_RESPONSE matches these in the
    skill's instructional/reference text. None of these are commands the
    agent is being told to run — they are descriptions of vulnerabilities to
    identify. Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_MCP_MALICIOUS_RESPONSE (Allowed: False positive - this skill's purpose is to TEACH a reviewer how to find
    GitHub Actions exploits. Its SKILL.md necessarily contains the attack
    patterns it's looking for: pull_request_target, issue_comment with
    command parsing, ${{ }} in run: blocks, permissions: misconfig,
    run: step exec, etc. ATR_MCP_MALICIOUS_RESPONSE matches these in the
    skill's instructional/reference text. None of these are commands the
    agent is being told to run — they are descriptions of vulnerabilities to
    identify. Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, shell, exec,
    Eval, Pay in "Payload", checkout) inside a skill that documents how
    to spot CI exploitation. These are documentation strings, not tool calls
    the agent is instructed to make. The skill itself declares
    allowed-tools: Read, Grep, Glob, Bash, Task and is read-only by design.
    Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_SUPPLY_CHAIN_POISONING (Allowed: False positive (14 hits) - matches curl https://attacker...,
    curl -sSfL ...attacker, "request content, attacker", "HTTP exfil",
    and similar attack-pattern strings inside the skill's reference docs
    (references/ai-prompt-injection-via-ci.md, comment-triggered-commands.md,
    credential-escalation.md, expression-injection.md, pwn-request.md).
    These are deliberate hostile-payload examples included so the skill can
    teach reviewers what supply-chain poisoning looks like in CI. They are
    not commands the agent runs. Verified at digest
    5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, shell, exec,
    Eval, Pay in "Payload", checkout) inside a skill that documents how
    to spot CI exploitation. These are documentation strings, not tool calls
    the agent is instructed to make. The skill itself declares
    allowed-tools: Read, Grep, Glob, Bash, Task and is read-only by design.
    Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_CONSENSUS_POISONING (Allowed: False positive - matches "fake approval" in references/ai-prompt-injection-via-ci.md,
    which describes the fake-approval/consensus-poisoning attack pattern as
    something a CI reviewer should look for. Documentation, not poisoning.
    Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, shell, exec,
    Eval, Pay in "Payload", checkout) inside a skill that documents how
    to spot CI exploitation. These are documentation strings, not tool calls
    the agent is instructed to make. The skill itself declares
    allowed-tools: Read, Grep, Glob, Bash, Task and is read-only by design.
    Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_RAG_DATA_POISONING (Allowed: False positive - matches "Do not mention these instruction" in
    references/ai-prompt-injection-via-ci.md, where the skill cites a
    canonical prompt-injection payload example. Documenting the payload
    is the skill's purpose. Verified at digest
    5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_SUPPLY_CHAIN_POISONING (Allowed: False positive (14 hits) - matches curl https://attacker...,
    curl -sSfL ...attacker, "request content, attacker", "HTTP exfil",
    and similar attack-pattern strings inside the skill's reference docs
    (references/ai-prompt-injection-via-ci.md, comment-triggered-commands.md,
    credential-escalation.md, expression-injection.md, pwn-request.md).
    These are deliberate hostile-payload examples included so the skill can
    teach reviewers what supply-chain poisoning looks like in CI. They are
    not commands the agent runs. Verified at digest
    5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_MCP_MALICIOUS_RESPONSE (Allowed: False positive - this skill's purpose is to TEACH a reviewer how to find
    GitHub Actions exploits. Its SKILL.md necessarily contains the attack
    patterns it's looking for: pull_request_target, issue_comment with
    command parsing, ${{ }} in run: blocks, permissions: misconfig,
    run: step exec, etc. ATR_MCP_MALICIOUS_RESPONSE matches these in the
    skill's instructional/reference text. None of these are commands the
    agent is being told to run — they are descriptions of vulnerabilities to
    identify. Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_MCP_MALICIOUS_RESPONSE (Allowed: False positive - this skill's purpose is to TEACH a reviewer how to find
    GitHub Actions exploits. Its SKILL.md necessarily contains the attack
    patterns it's looking for: pull_request_target, issue_comment with
    command parsing, ${{ }} in run: blocks, permissions: misconfig,
    run: step exec, etc. ATR_MCP_MALICIOUS_RESPONSE matches these in the
    skill's instructional/reference text. None of these are commands the
    agent is being told to run — they are descriptions of vulnerabilities to
    identify. Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, shell, exec,
    Eval, Pay in "Payload", checkout) inside a skill that documents how
    to spot CI exploitation. These are documentation strings, not tool calls
    the agent is instructed to make. The skill itself declares
    allowed-tools: Read, Grep, Glob, Bash, Task and is read-only by design.
    Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, shell, exec,
    Eval, Pay in "Payload", checkout) inside a skill that documents how
    to spot CI exploitation. These are documentation strings, not tool calls
    the agent is instructed to make. The skill itself declares
    allowed-tools: Read, Grep, Glob, Bash, Task and is read-only by design.
    Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, shell, exec,
    Eval, Pay in "Payload", checkout) inside a skill that documents how
    to spot CI exploitation. These are documentation strings, not tool calls
    the agent is instructed to make. The skill itself declares
    allowed-tools: Read, Grep, Glob, Bash, Task and is read-only by design.
    Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, shell, exec,
    Eval, Pay in "Payload", checkout) inside a skill that documents how
    to spot CI exploitation. These are documentation strings, not tool calls
    the agent is instructed to make. The skill itself declares
    allowed-tools: Read, Grep, Glob, Bash, Task and is read-only by design.
    Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, shell, exec,
    Eval, Pay in "Payload", checkout) inside a skill that documents how
    to spot CI exploitation. These are documentation strings, not tool calls
    the agent is instructed to make. The skill itself declares
    allowed-tools: Read, Grep, Glob, Bash, Task and is read-only by design.
    Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_MCP_MALICIOUS_RESPONSE (Allowed: False positive - this skill's purpose is to TEACH a reviewer how to find
    GitHub Actions exploits. Its SKILL.md necessarily contains the attack
    patterns it's looking for: pull_request_target, issue_comment with
    command parsing, ${{ }} in run: blocks, permissions: misconfig,
    run: step exec, etc. ATR_MCP_MALICIOUS_RESPONSE matches these in the
    skill's instructional/reference text. None of these are commands the
    agent is being told to run — they are descriptions of vulnerabilities to
    identify. Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_CONSENSUS_POISONING (Allowed: False positive - matches "fake approval" in references/ai-prompt-injection-via-ci.md,
    which describes the fake-approval/consensus-poisoning attack pattern as
    something a CI reviewer should look for. Documentation, not poisoning.
    Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, shell, exec,
    Eval, Pay in "Payload", checkout) inside a skill that documents how
    to spot CI exploitation. These are documentation strings, not tool calls
    the agent is instructed to make. The skill itself declares
    allowed-tools: Read, Grep, Glob, Bash, Task and is read-only by design.
    Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • PIPELINE_TAINT_FLOW (Allowed: The skill's reference material cites curl | bash and similar RCE patterns as instructional examples of supply-chain-style attacks detectable in CI workflows. The scanner itself flags these as 'found in documentation file — may be instructional rather than executable'.)
  • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, shell, exec,
    Eval, Pay in "Payload", checkout) inside a skill that documents how
    to spot CI exploitation. These are documentation strings, not tool calls
    the agent is instructed to make. The skill itself declares
    allowed-tools: Read, Grep, Glob, Bash, Task and is read-only by design.
    Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_MCP_MALICIOUS_RESPONSE (Allowed: False positive - this skill's purpose is to TEACH a reviewer how to find
    GitHub Actions exploits. Its SKILL.md necessarily contains the attack
    patterns it's looking for: pull_request_target, issue_comment with
    command parsing, ${{ }} in run: blocks, permissions: misconfig,
    run: step exec, etc. ATR_MCP_MALICIOUS_RESPONSE matches these in the
    skill's instructional/reference text. None of these are commands the
    agent is being told to run — they are descriptions of vulnerabilities to
    identify. Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, shell, exec,
    Eval, Pay in "Payload", checkout) inside a skill that documents how
    to spot CI exploitation. These are documentation strings, not tool calls
    the agent is instructed to make. The skill itself declares
    allowed-tools: Read, Grep, Glob, Bash, Task and is read-only by design.
    Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, shell, exec,
    Eval, Pay in "Payload", checkout) inside a skill that documents how
    to spot CI exploitation. These are documentation strings, not tool calls
    the agent is instructed to make. The skill itself declares
    allowed-tools: Read, Grep, Glob, Bash, Task and is read-only by design.
    Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_SUPPLY_CHAIN_POISONING (Allowed: False positive (14 hits) - matches curl https://attacker...,
    curl -sSfL ...attacker, "request content, attacker", "HTTP exfil",
    and similar attack-pattern strings inside the skill's reference docs
    (references/ai-prompt-injection-via-ci.md, comment-triggered-commands.md,
    credential-escalation.md, expression-injection.md, pwn-request.md).
    These are deliberate hostile-payload examples included so the skill can
    teach reviewers what supply-chain poisoning looks like in CI. They are
    not commands the agent runs. Verified at digest
    5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, shell, exec,
    Eval, Pay in "Payload", checkout) inside a skill that documents how
    to spot CI exploitation. These are documentation strings, not tool calls
    the agent is instructed to make. The skill itself declares
    allowed-tools: Read, Grep, Glob, Bash, Task and is read-only by design.
    Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_SUPPLY_CHAIN_POISONING (Allowed: False positive (14 hits) - matches curl https://attacker...,
    curl -sSfL ...attacker, "request content, attacker", "HTTP exfil",
    and similar attack-pattern strings inside the skill's reference docs
    (references/ai-prompt-injection-via-ci.md, comment-triggered-commands.md,
    credential-escalation.md, expression-injection.md, pwn-request.md).
    These are deliberate hostile-payload examples included so the skill can
    teach reviewers what supply-chain poisoning looks like in CI. They are
    not commands the agent runs. Verified at digest
    5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, shell, exec,
    Eval, Pay in "Payload", checkout) inside a skill that documents how
    to spot CI exploitation. These are documentation strings, not tool calls
    the agent is instructed to make. The skill itself declares
    allowed-tools: Read, Grep, Glob, Bash, Task and is read-only by design.
    Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, shell, exec,
    Eval, Pay in "Payload", checkout) inside a skill that documents how
    to spot CI exploitation. These are documentation strings, not tool calls
    the agent is instructed to make. The skill itself declares
    allowed-tools: Read, Grep, Glob, Bash, Task and is read-only by design.
    Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, shell, exec,
    Eval, Pay in "Payload", checkout) inside a skill that documents how
    to spot CI exploitation. These are documentation strings, not tool calls
    the agent is instructed to make. The skill itself declares
    allowed-tools: Read, Grep, Glob, Bash, Task and is read-only by design.
    Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_MCP_MALICIOUS_RESPONSE (Allowed: False positive - this skill's purpose is to TEACH a reviewer how to find
    GitHub Actions exploits. Its SKILL.md necessarily contains the attack
    patterns it's looking for: pull_request_target, issue_comment with
    command parsing, ${{ }} in run: blocks, permissions: misconfig,
    run: step exec, etc. ATR_MCP_MALICIOUS_RESPONSE matches these in the
    skill's instructional/reference text. None of these are commands the
    agent is being told to run — they are descriptions of vulnerabilities to
    identify. Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_MCP_MALICIOUS_RESPONSE (Allowed: False positive - this skill's purpose is to TEACH a reviewer how to find
    GitHub Actions exploits. Its SKILL.md necessarily contains the attack
    patterns it's looking for: pull_request_target, issue_comment with
    command parsing, ${{ }} in run: blocks, permissions: misconfig,
    run: step exec, etc. ATR_MCP_MALICIOUS_RESPONSE matches these in the
    skill's instructional/reference text. None of these are commands the
    agent is being told to run — they are descriptions of vulnerabilities to
    identify. Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, shell, exec,
    Eval, Pay in "Payload", checkout) inside a skill that documents how
    to spot CI exploitation. These are documentation strings, not tool calls
    the agent is instructed to make. The skill itself declares
    allowed-tools: Read, Grep, Glob, Bash, Task and is read-only by design.
    Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, shell, exec,
    Eval, Pay in "Payload", checkout) inside a skill that documents how
    to spot CI exploitation. These are documentation strings, not tool calls
    the agent is instructed to make. The skill itself declares
    allowed-tools: Read, Grep, Glob, Bash, Task and is read-only by design.
    Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, shell, exec,
    Eval, Pay in "Payload", checkout) inside a skill that documents how
    to spot CI exploitation. These are documentation strings, not tool calls
    the agent is instructed to make. The skill itself declares
    allowed-tools: Read, Grep, Glob, Bash, Task and is read-only by design.
    Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, shell, exec,
    Eval, Pay in "Payload", checkout) inside a skill that documents how
    to spot CI exploitation. These are documentation strings, not tool calls
    the agent is instructed to make. The skill itself declares
    allowed-tools: Read, Grep, Glob, Bash, Task and is read-only by design.
    Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_MCP_MALICIOUS_RESPONSE (Allowed: False positive - this skill's purpose is to TEACH a reviewer how to find
    GitHub Actions exploits. Its SKILL.md necessarily contains the attack
    patterns it's looking for: pull_request_target, issue_comment with
    command parsing, ${{ }} in run: blocks, permissions: misconfig,
    run: step exec, etc. ATR_MCP_MALICIOUS_RESPONSE matches these in the
    skill's instructional/reference text. None of these are commands the
    agent is being told to run — they are descriptions of vulnerabilities to
    identify. Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, shell, exec,
    Eval, Pay in "Payload", checkout) inside a skill that documents how
    to spot CI exploitation. These are documentation strings, not tool calls
    the agent is instructed to make. The skill itself declares
    allowed-tools: Read, Grep, Glob, Bash, Task and is read-only by design.
    Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, shell, exec,
    Eval, Pay in "Payload", checkout) inside a skill that documents how
    to spot CI exploitation. These are documentation strings, not tool calls
    the agent is instructed to make. The skill itself declares
    allowed-tools: Read, Grep, Glob, Bash, Task and is read-only by design.
    Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, shell, exec,
    Eval, Pay in "Payload", checkout) inside a skill that documents how
    to spot CI exploitation. These are documentation strings, not tool calls
    the agent is instructed to make. The skill itself declares
    allowed-tools: Read, Grep, Glob, Bash, Task and is read-only by design.
    Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, shell, exec,
    Eval, Pay in "Payload", checkout) inside a skill that documents how
    to spot CI exploitation. These are documentation strings, not tool calls
    the agent is instructed to make. The skill itself declares
    allowed-tools: Read, Grep, Glob, Bash, Task and is read-only by design.
    Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, shell, exec,
    Eval, Pay in "Payload", checkout) inside a skill that documents how
    to spot CI exploitation. These are documentation strings, not tool calls
    the agent is instructed to make. The skill itself declares
    allowed-tools: Read, Grep, Glob, Bash, Task and is read-only by design.
    Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, shell, exec,
    Eval, Pay in "Payload", checkout) inside a skill that documents how
    to spot CI exploitation. These are documentation strings, not tool calls
    the agent is instructed to make. The skill itself declares
    allowed-tools: Read, Grep, Glob, Bash, Task and is read-only by design.
    Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, shell, exec,
    Eval, Pay in "Payload", checkout) inside a skill that documents how
    to spot CI exploitation. These are documentation strings, not tool calls
    the agent is instructed to make. The skill itself declares
    allowed-tools: Read, Grep, Glob, Bash, Task and is read-only by design.
    Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, shell, exec,
    Eval, Pay in "Payload", checkout) inside a skill that documents how
    to spot CI exploitation. These are documentation strings, not tool calls
    the agent is instructed to make. The skill itself declares
    allowed-tools: Read, Grep, Glob, Bash, Task and is read-only by design.
    Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_MCP_MALICIOUS_RESPONSE (Allowed: False positive - this skill's purpose is to TEACH a reviewer how to find
    GitHub Actions exploits. Its SKILL.md necessarily contains the attack
    patterns it's looking for: pull_request_target, issue_comment with
    command parsing, ${{ }} in run: blocks, permissions: misconfig,
    run: step exec, etc. ATR_MCP_MALICIOUS_RESPONSE matches these in the
    skill's instructional/reference text. None of these are commands the
    agent is being told to run — they are descriptions of vulnerabilities to
    identify. Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, shell, exec,
    Eval, Pay in "Payload", checkout) inside a skill that documents how
    to spot CI exploitation. These are documentation strings, not tool calls
    the agent is instructed to make. The skill itself declares
    allowed-tools: Read, Grep, Glob, Bash, Task and is read-only by design.
    Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, shell, exec,
    Eval, Pay in "Payload", checkout) inside a skill that documents how
    to spot CI exploitation. These are documentation strings, not tool calls
    the agent is instructed to make. The skill itself declares
    allowed-tools: Read, Grep, Glob, Bash, Task and is read-only by design.
    Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, shell, exec,
    Eval, Pay in "Payload", checkout) inside a skill that documents how
    to spot CI exploitation. These are documentation strings, not tool calls
    the agent is instructed to make. The skill itself declares
    allowed-tools: Read, Grep, Glob, Bash, Task and is read-only by design.
    Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, shell, exec,
    Eval, Pay in "Payload", checkout) inside a skill that documents how
    to spot CI exploitation. These are documentation strings, not tool calls
    the agent is instructed to make. The skill itself declares
    allowed-tools: Read, Grep, Glob, Bash, Task and is read-only by design.
    Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, shell, exec,
    Eval, Pay in "Payload", checkout) inside a skill that documents how
    to spot CI exploitation. These are documentation strings, not tool calls
    the agent is instructed to make. The skill itself declares
    allowed-tools: Read, Grep, Glob, Bash, Task and is read-only by design.
    Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, shell, exec,
    Eval, Pay in "Payload", checkout) inside a skill that documents how
    to spot CI exploitation. These are documentation strings, not tool calls
    the agent is instructed to make. The skill itself declares
    allowed-tools: Read, Grep, Glob, Bash, Task and is read-only by design.
    Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, shell, exec,
    Eval, Pay in "Payload", checkout) inside a skill that documents how
    to spot CI exploitation. These are documentation strings, not tool calls
    the agent is instructed to make. The skill itself declares
    allowed-tools: Read, Grep, Glob, Bash, Task and is read-only by design.
    Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_TOOL_SSRF (Allowed: False positive - matches ::1 / loopback / metadata-host strings in
    the skill's reference docs about credential escalation and SSRF in
    GHA. Same root cause as ATR_SUPPLY_CHAIN_POISONING above: the skill
    documents SSRF attack patterns as part of teaching the reviewer to
    find them. Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_MCP_MALICIOUS_RESPONSE (Allowed: False positive - this skill's purpose is to TEACH a reviewer how to find
    GitHub Actions exploits. Its SKILL.md necessarily contains the attack
    patterns it's looking for: pull_request_target, issue_comment with
    command parsing, ${{ }} in run: blocks, permissions: misconfig,
    run: step exec, etc. ATR_MCP_MALICIOUS_RESPONSE matches these in the
    skill's instructional/reference text. None of these are commands the
    agent is being told to run — they are descriptions of vulnerabilities to
    identify. Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • PG_PII_CREDENTIAL_HARVESTING (Allowed: False positive - matches "extract credential" on
    references/credential-escalation.md, which is literally the topic of
    that reference file (how to spot credential-extraction attacks in
    GitHub Actions). Verified at digest
    5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_MCP_MALICIOUS_RESPONSE (Allowed: False positive - this skill's purpose is to TEACH a reviewer how to find
    GitHub Actions exploits. Its SKILL.md necessarily contains the attack
    patterns it's looking for: pull_request_target, issue_comment with
    command parsing, ${{ }} in run: blocks, permissions: misconfig,
    run: step exec, etc. ATR_MCP_MALICIOUS_RESPONSE matches these in the
    skill's instructional/reference text. None of these are commands the
    agent is being told to run — they are descriptions of vulnerabilities to
    identify. Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_SUPPLY_CHAIN_POISONING (Allowed: False positive (14 hits) - matches curl https://attacker...,
    curl -sSfL ...attacker, "request content, attacker", "HTTP exfil",
    and similar attack-pattern strings inside the skill's reference docs
    (references/ai-prompt-injection-via-ci.md, comment-triggered-commands.md,
    credential-escalation.md, expression-injection.md, pwn-request.md).
    These are deliberate hostile-payload examples included so the skill can
    teach reviewers what supply-chain poisoning looks like in CI. They are
    not commands the agent runs. Verified at digest
    5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_MCP_MALICIOUS_RESPONSE (Allowed: False positive - this skill's purpose is to TEACH a reviewer how to find
    GitHub Actions exploits. Its SKILL.md necessarily contains the attack
    patterns it's looking for: pull_request_target, issue_comment with
    command parsing, ${{ }} in run: blocks, permissions: misconfig,
    run: step exec, etc. ATR_MCP_MALICIOUS_RESPONSE matches these in the
    skill's instructional/reference text. None of these are commands the
    agent is being told to run — they are descriptions of vulnerabilities to
    identify. Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, shell, exec,
    Eval, Pay in "Payload", checkout) inside a skill that documents how
    to spot CI exploitation. These are documentation strings, not tool calls
    the agent is instructed to make. The skill itself declares
    allowed-tools: Read, Grep, Glob, Bash, Task and is read-only by design.
    Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_MCP_MALICIOUS_RESPONSE (Allowed: False positive - this skill's purpose is to TEACH a reviewer how to find
    GitHub Actions exploits. Its SKILL.md necessarily contains the attack
    patterns it's looking for: pull_request_target, issue_comment with
    command parsing, ${{ }} in run: blocks, permissions: misconfig,
    run: step exec, etc. ATR_MCP_MALICIOUS_RESPONSE matches these in the
    skill's instructional/reference text. None of these are commands the
    agent is being told to run — they are descriptions of vulnerabilities to
    identify. Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_MCP_MALICIOUS_RESPONSE (Allowed: False positive - this skill's purpose is to TEACH a reviewer how to find
    GitHub Actions exploits. Its SKILL.md necessarily contains the attack
    patterns it's looking for: pull_request_target, issue_comment with
    command parsing, ${{ }} in run: blocks, permissions: misconfig,
    run: step exec, etc. ATR_MCP_MALICIOUS_RESPONSE matches these in the
    skill's instructional/reference text. None of these are commands the
    agent is being told to run — they are descriptions of vulnerabilities to
    identify. Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, shell, exec,
    Eval, Pay in "Payload", checkout) inside a skill that documents how
    to spot CI exploitation. These are documentation strings, not tool calls
    the agent is instructed to make. The skill itself declares
    allowed-tools: Read, Grep, Glob, Bash, Task and is read-only by design.
    Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_SUPPLY_CHAIN_POISONING (Allowed: False positive (14 hits) - matches curl https://attacker...,
    curl -sSfL ...attacker, "request content, attacker", "HTTP exfil",
    and similar attack-pattern strings inside the skill's reference docs
    (references/ai-prompt-injection-via-ci.md, comment-triggered-commands.md,
    credential-escalation.md, expression-injection.md, pwn-request.md).
    These are deliberate hostile-payload examples included so the skill can
    teach reviewers what supply-chain poisoning looks like in CI. They are
    not commands the agent runs. Verified at digest
    5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, shell, exec,
    Eval, Pay in "Payload", checkout) inside a skill that documents how
    to spot CI exploitation. These are documentation strings, not tool calls
    the agent is instructed to make. The skill itself declares
    allowed-tools: Read, Grep, Glob, Bash, Task and is read-only by design.
    Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_MCP_MALICIOUS_RESPONSE (Allowed: False positive - this skill's purpose is to TEACH a reviewer how to find
    GitHub Actions exploits. Its SKILL.md necessarily contains the attack
    patterns it's looking for: pull_request_target, issue_comment with
    command parsing, ${{ }} in run: blocks, permissions: misconfig,
    run: step exec, etc. ATR_MCP_MALICIOUS_RESPONSE matches these in the
    skill's instructional/reference text. None of these are commands the
    agent is being told to run — they are descriptions of vulnerabilities to
    identify. Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_SUPPLY_CHAIN_POISONING (Allowed: False positive (14 hits) - matches curl https://attacker...,
    curl -sSfL ...attacker, "request content, attacker", "HTTP exfil",
    and similar attack-pattern strings inside the skill's reference docs
    (references/ai-prompt-injection-via-ci.md, comment-triggered-commands.md,
    credential-escalation.md, expression-injection.md, pwn-request.md).
    These are deliberate hostile-payload examples included so the skill can
    teach reviewers what supply-chain poisoning looks like in CI. They are
    not commands the agent runs. Verified at digest
    5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_MCP_MALICIOUS_RESPONSE (Allowed: False positive - this skill's purpose is to TEACH a reviewer how to find
    GitHub Actions exploits. Its SKILL.md necessarily contains the attack
    patterns it's looking for: pull_request_target, issue_comment with
    command parsing, ${{ }} in run: blocks, permissions: misconfig,
    run: step exec, etc. ATR_MCP_MALICIOUS_RESPONSE matches these in the
    skill's instructional/reference text. None of these are commands the
    agent is being told to run — they are descriptions of vulnerabilities to
    identify. Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_MCP_MALICIOUS_RESPONSE (Allowed: False positive - this skill's purpose is to TEACH a reviewer how to find
    GitHub Actions exploits. Its SKILL.md necessarily contains the attack
    patterns it's looking for: pull_request_target, issue_comment with
    command parsing, ${{ }} in run: blocks, permissions: misconfig,
    run: step exec, etc. ATR_MCP_MALICIOUS_RESPONSE matches these in the
    skill's instructional/reference text. None of these are commands the
    agent is being told to run — they are descriptions of vulnerabilities to
    identify. Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_MCP_MALICIOUS_RESPONSE (Allowed: False positive - this skill's purpose is to TEACH a reviewer how to find
    GitHub Actions exploits. Its SKILL.md necessarily contains the attack
    patterns it's looking for: pull_request_target, issue_comment with
    command parsing, ${{ }} in run: blocks, permissions: misconfig,
    run: step exec, etc. ATR_MCP_MALICIOUS_RESPONSE matches these in the
    skill's instructional/reference text. None of these are commands the
    agent is being told to run — they are descriptions of vulnerabilities to
    identify. Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_MCP_MALICIOUS_RESPONSE (Allowed: False positive - this skill's purpose is to TEACH a reviewer how to find
    GitHub Actions exploits. Its SKILL.md necessarily contains the attack
    patterns it's looking for: pull_request_target, issue_comment with
    command parsing, ${{ }} in run: blocks, permissions: misconfig,
    run: step exec, etc. ATR_MCP_MALICIOUS_RESPONSE matches these in the
    skill's instructional/reference text. None of these are commands the
    agent is being told to run — they are descriptions of vulnerabilities to
    identify. Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_MCP_MALICIOUS_RESPONSE (Allowed: False positive - this skill's purpose is to TEACH a reviewer how to find
    GitHub Actions exploits. Its SKILL.md necessarily contains the attack
    patterns it's looking for: pull_request_target, issue_comment with
    command parsing, ${{ }} in run: blocks, permissions: misconfig,
    run: step exec, etc. ATR_MCP_MALICIOUS_RESPONSE matches these in the
    skill's instructional/reference text. None of these are commands the
    agent is being told to run — they are descriptions of vulnerabilities to
    identify. Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_MCP_MALICIOUS_RESPONSE (Allowed: False positive - this skill's purpose is to TEACH a reviewer how to find
    GitHub Actions exploits. Its SKILL.md necessarily contains the attack
    patterns it's looking for: pull_request_target, issue_comment with
    command parsing, ${{ }} in run: blocks, permissions: misconfig,
    run: step exec, etc. ATR_MCP_MALICIOUS_RESPONSE matches these in the
    skill's instructional/reference text. None of these are commands the
    agent is being told to run — they are descriptions of vulnerabilities to
    identify. Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, shell, exec,
    Eval, Pay in "Payload", checkout) inside a skill that documents how
    to spot CI exploitation. These are documentation strings, not tool calls
    the agent is instructed to make. The skill itself declares
    allowed-tools: Read, Grep, Glob, Bash, Task and is read-only by design.
    Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_MCP_MALICIOUS_RESPONSE (Allowed: False positive - this skill's purpose is to TEACH a reviewer how to find
    GitHub Actions exploits. Its SKILL.md necessarily contains the attack
    patterns it's looking for: pull_request_target, issue_comment with
    command parsing, ${{ }} in run: blocks, permissions: misconfig,
    run: step exec, etc. ATR_MCP_MALICIOUS_RESPONSE matches these in the
    skill's instructional/reference text. None of these are commands the
    agent is being told to run — they are descriptions of vulnerabilities to
    identify. Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_SUPPLY_CHAIN_POISONING (Allowed: False positive (14 hits) - matches curl https://attacker...,
    curl -sSfL ...attacker, "request content, attacker", "HTTP exfil",
    and similar attack-pattern strings inside the skill's reference docs
    (references/ai-prompt-injection-via-ci.md, comment-triggered-commands.md,
    credential-escalation.md, expression-injection.md, pwn-request.md).
    These are deliberate hostile-payload examples included so the skill can
    teach reviewers what supply-chain poisoning looks like in CI. They are
    not commands the agent runs. Verified at digest
    5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, shell, exec,
    Eval, Pay in "Payload", checkout) inside a skill that documents how
    to spot CI exploitation. These are documentation strings, not tool calls
    the agent is instructed to make. The skill itself declares
    allowed-tools: Read, Grep, Glob, Bash, Task and is read-only by design.
    Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_SUPPLY_CHAIN_POISONING (Allowed: False positive (14 hits) - matches curl https://attacker...,
    curl -sSfL ...attacker, "request content, attacker", "HTTP exfil",
    and similar attack-pattern strings inside the skill's reference docs
    (references/ai-prompt-injection-via-ci.md, comment-triggered-commands.md,
    credential-escalation.md, expression-injection.md, pwn-request.md).
    These are deliberate hostile-payload examples included so the skill can
    teach reviewers what supply-chain poisoning looks like in CI. They are
    not commands the agent runs. Verified at digest
    5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_MCP_MALICIOUS_RESPONSE (Allowed: False positive - this skill's purpose is to TEACH a reviewer how to find
    GitHub Actions exploits. Its SKILL.md necessarily contains the attack
    patterns it's looking for: pull_request_target, issue_comment with
    command parsing, ${{ }} in run: blocks, permissions: misconfig,
    run: step exec, etc. ATR_MCP_MALICIOUS_RESPONSE matches these in the
    skill's instructional/reference text. None of these are commands the
    agent is being told to run — they are descriptions of vulnerabilities to
    identify. Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_MCP_MALICIOUS_RESPONSE (Allowed: False positive - this skill's purpose is to TEACH a reviewer how to find
    GitHub Actions exploits. Its SKILL.md necessarily contains the attack
    patterns it's looking for: pull_request_target, issue_comment with
    command parsing, ${{ }} in run: blocks, permissions: misconfig,
    run: step exec, etc. ATR_MCP_MALICIOUS_RESPONSE matches these in the
    skill's instructional/reference text. None of these are commands the
    agent is being told to run — they are descriptions of vulnerabilities to
    identify. Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, shell, exec,
    Eval, Pay in "Payload", checkout) inside a skill that documents how
    to spot CI exploitation. These are documentation strings, not tool calls
    the agent is instructed to make. The skill itself declares
    allowed-tools: Read, Grep, Glob, Bash, Task and is read-only by design.
    Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_MCP_MALICIOUS_RESPONSE (Allowed: False positive - this skill's purpose is to TEACH a reviewer how to find
    GitHub Actions exploits. Its SKILL.md necessarily contains the attack
    patterns it's looking for: pull_request_target, issue_comment with
    command parsing, ${{ }} in run: blocks, permissions: misconfig,
    run: step exec, etc. ATR_MCP_MALICIOUS_RESPONSE matches these in the
    skill's instructional/reference text. None of these are commands the
    agent is being told to run — they are descriptions of vulnerabilities to
    identify. Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, shell, exec,
    Eval, Pay in "Payload", checkout) inside a skill that documents how
    to spot CI exploitation. These are documentation strings, not tool calls
    the agent is instructed to make. The skill itself declares
    allowed-tools: Read, Grep, Glob, Bash, Task and is read-only by design.
    Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, shell, exec,
    Eval, Pay in "Payload", checkout) inside a skill that documents how
    to spot CI exploitation. These are documentation strings, not tool calls
    the agent is instructed to make. The skill itself declares
    allowed-tools: Read, Grep, Glob, Bash, Task and is read-only by design.
    Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, shell, exec,
    Eval, Pay in "Payload", checkout) inside a skill that documents how
    to spot CI exploitation. These are documentation strings, not tool calls
    the agent is instructed to make. The skill itself declares
    allowed-tools: Read, Grep, Glob, Bash, Task and is read-only by design.
    Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, shell, exec,
    Eval, Pay in "Payload", checkout) inside a skill that documents how
    to spot CI exploitation. These are documentation strings, not tool calls
    the agent is instructed to make. The skill itself declares
    allowed-tools: Read, Grep, Glob, Bash, Task and is read-only by design.
    Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_MCP_MALICIOUS_RESPONSE (Allowed: False positive - this skill's purpose is to TEACH a reviewer how to find
    GitHub Actions exploits. Its SKILL.md necessarily contains the attack
    patterns it's looking for: pull_request_target, issue_comment with
    command parsing, ${{ }} in run: blocks, permissions: misconfig,
    run: step exec, etc. ATR_MCP_MALICIOUS_RESPONSE matches these in the
    skill's instructional/reference text. None of these are commands the
    agent is being told to run — they are descriptions of vulnerabilities to
    identify. Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_MCP_MALICIOUS_RESPONSE (Allowed: False positive - this skill's purpose is to TEACH a reviewer how to find
    GitHub Actions exploits. Its SKILL.md necessarily contains the attack
    patterns it's looking for: pull_request_target, issue_comment with
    command parsing, ${{ }} in run: blocks, permissions: misconfig,
    run: step exec, etc. ATR_MCP_MALICIOUS_RESPONSE matches these in the
    skill's instructional/reference text. None of these are commands the
    agent is being told to run — they are descriptions of vulnerabilities to
    identify. Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_MCP_MALICIOUS_RESPONSE (Allowed: False positive - this skill's purpose is to TEACH a reviewer how to find
    GitHub Actions exploits. Its SKILL.md necessarily contains the attack
    patterns it's looking for: pull_request_target, issue_comment with
    command parsing, ${{ }} in run: blocks, permissions: misconfig,
    run: step exec, etc. ATR_MCP_MALICIOUS_RESPONSE matches these in the
    skill's instructional/reference text. None of these are commands the
    agent is being told to run — they are descriptions of vulnerabilities to
    identify. Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, shell, exec,
    Eval, Pay in "Payload", checkout) inside a skill that documents how
    to spot CI exploitation. These are documentation strings, not tool calls
    the agent is instructed to make. The skill itself declares
    allowed-tools: Read, Grep, Glob, Bash, Task and is read-only by design.
    Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, shell, exec,
    Eval, Pay in "Payload", checkout) inside a skill that documents how
    to spot CI exploitation. These are documentation strings, not tool calls
    the agent is instructed to make. The skill itself declares
    allowed-tools: Read, Grep, Glob, Bash, Task and is read-only by design.
    Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, shell, exec,
    Eval, Pay in "Payload", checkout) inside a skill that documents how
    to spot CI exploitation. These are documentation strings, not tool calls
    the agent is instructed to make. The skill itself declares
    allowed-tools: Read, Grep, Glob, Bash, Task and is read-only by design.
    Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, shell, exec,
    Eval, Pay in "Payload", checkout) inside a skill that documents how
    to spot CI exploitation. These are documentation strings, not tool calls
    the agent is instructed to make. The skill itself declares
    allowed-tools: Read, Grep, Glob, Bash, Task and is read-only by design.
    Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, shell, exec,
    Eval, Pay in "Payload", checkout) inside a skill that documents how
    to spot CI exploitation. These are documentation strings, not tool calls
    the agent is instructed to make. The skill itself declares
    allowed-tools: Read, Grep, Glob, Bash, Task and is read-only by design.
    Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, shell, exec,
    Eval, Pay in "Payload", checkout) inside a skill that documents how
    to spot CI exploitation. These are documentation strings, not tool calls
    the agent is instructed to make. The skill itself declares
    allowed-tools: Read, Grep, Glob, Bash, Task and is read-only by design.
    Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, shell, exec,
    Eval, Pay in "Payload", checkout) inside a skill that documents how
    to spot CI exploitation. These are documentation strings, not tool calls
    the agent is instructed to make. The skill itself declares
    allowed-tools: Read, Grep, Glob, Bash, Task and is read-only by design.
    Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_MCP_MALICIOUS_RESPONSE (Allowed: False positive - this skill's purpose is to TEACH a reviewer how to find
    GitHub Actions exploits. Its SKILL.md necessarily contains the attack
    patterns it's looking for: pull_request_target, issue_comment with
    command parsing, ${{ }} in run: blocks, permissions: misconfig,
    run: step exec, etc. ATR_MCP_MALICIOUS_RESPONSE matches these in the
    skill's instructional/reference text. None of these are commands the
    agent is being told to run — they are descriptions of vulnerabilities to
    identify. Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, shell, exec,
    Eval, Pay in "Payload", checkout) inside a skill that documents how
    to spot CI exploitation. These are documentation strings, not tool calls
    the agent is instructed to make. The skill itself declares
    allowed-tools: Read, Grep, Glob, Bash, Task and is read-only by design.
    Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, shell, exec,
    Eval, Pay in "Payload", checkout) inside a skill that documents how
    to spot CI exploitation. These are documentation strings, not tool calls
    the agent is instructed to make. The skill itself declares
    allowed-tools: Read, Grep, Glob, Bash, Task and is read-only by design.
    Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, shell, exec,
    Eval, Pay in "Payload", checkout) inside a skill that documents how
    to spot CI exploitation. These are documentation strings, not tool calls
    the agent is instructed to make. The skill itself declares
    allowed-tools: Read, Grep, Glob, Bash, Task and is read-only by design.
    Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, shell, exec,
    Eval, Pay in "Payload", checkout) inside a skill that documents how
    to spot CI exploitation. These are documentation strings, not tool calls
    the agent is instructed to make. The skill itself declares
    allowed-tools: Read, Grep, Glob, Bash, Task and is read-only by design.
    Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_MCP_MALICIOUS_RESPONSE (Allowed: False positive - this skill's purpose is to TEACH a reviewer how to find
    GitHub Actions exploits. Its SKILL.md necessarily contains the attack
    patterns it's looking for: pull_request_target, issue_comment with
    command parsing, ${{ }} in run: blocks, permissions: misconfig,
    run: step exec, etc. ATR_MCP_MALICIOUS_RESPONSE matches these in the
    skill's instructional/reference text. None of these are commands the
    agent is being told to run — they are descriptions of vulnerabilities to
    identify. Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_MCP_MALICIOUS_RESPONSE (Allowed: False positive - this skill's purpose is to TEACH a reviewer how to find
    GitHub Actions exploits. Its SKILL.md necessarily contains the attack
    patterns it's looking for: pull_request_target, issue_comment with
    command parsing, ${{ }} in run: blocks, permissions: misconfig,
    run: step exec, etc. ATR_MCP_MALICIOUS_RESPONSE matches these in the
    skill's instructional/reference text. None of these are commands the
    agent is being told to run — they are descriptions of vulnerabilities to
    identify. Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_MCP_MALICIOUS_RESPONSE (Allowed: False positive - this skill's purpose is to TEACH a reviewer how to find
    GitHub Actions exploits. Its SKILL.md necessarily contains the attack
    patterns it's looking for: pull_request_target, issue_comment with
    command parsing, ${{ }} in run: blocks, permissions: misconfig,
    run: step exec, etc. ATR_MCP_MALICIOUS_RESPONSE matches these in the
    skill's instructional/reference text. None of these are commands the
    agent is being told to run — they are descriptions of vulnerabilities to
    identify. Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, shell, exec,
    Eval, Pay in "Payload", checkout) inside a skill that documents how
    to spot CI exploitation. These are documentation strings, not tool calls
    the agent is instructed to make. The skill itself declares
    allowed-tools: Read, Grep, Glob, Bash, Task and is read-only by design.
    Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, shell, exec,
    Eval, Pay in "Payload", checkout) inside a skill that documents how
    to spot CI exploitation. These are documentation strings, not tool calls
    the agent is instructed to make. The skill itself declares
    allowed-tools: Read, Grep, Glob, Bash, Task and is read-only by design.
    Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_MCP_MALICIOUS_RESPONSE (Allowed: False positive - this skill's purpose is to TEACH a reviewer how to find
    GitHub Actions exploits. Its SKILL.md necessarily contains the attack
    patterns it's looking for: pull_request_target, issue_comment with
    command parsing, ${{ }} in run: blocks, permissions: misconfig,
    run: step exec, etc. ATR_MCP_MALICIOUS_RESPONSE matches these in the
    skill's instructional/reference text. None of these are commands the
    agent is being told to run — they are descriptions of vulnerabilities to
    identify. Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, shell, exec,
    Eval, Pay in "Payload", checkout) inside a skill that documents how
    to spot CI exploitation. These are documentation strings, not tool calls
    the agent is instructed to make. The skill itself declares
    allowed-tools: Read, Grep, Glob, Bash, Task and is read-only by design.
    Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_MCP_MALICIOUS_RESPONSE (Allowed: False positive - this skill's purpose is to TEACH a reviewer how to find
    GitHub Actions exploits. Its SKILL.md necessarily contains the attack
    patterns it's looking for: pull_request_target, issue_comment with
    command parsing, ${{ }} in run: blocks, permissions: misconfig,
    run: step exec, etc. ATR_MCP_MALICIOUS_RESPONSE matches these in the
    skill's instructional/reference text. None of these are commands the
    agent is being told to run — they are descriptions of vulnerabilities to
    identify. Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, shell, exec,
    Eval, Pay in "Payload", checkout) inside a skill that documents how
    to spot CI exploitation. These are documentation strings, not tool calls
    the agent is instructed to make. The skill itself declares
    allowed-tools: Read, Grep, Glob, Bash, Task and is read-only by design.
    Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, shell, exec,
    Eval, Pay in "Payload", checkout) inside a skill that documents how
    to spot CI exploitation. These are documentation strings, not tool calls
    the agent is instructed to make. The skill itself declares
    allowed-tools: Read, Grep, Glob, Bash, Task and is read-only by design.
    Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, shell, exec,
    Eval, Pay in "Payload", checkout) inside a skill that documents how
    to spot CI exploitation. These are documentation strings, not tool calls
    the agent is instructed to make. The skill itself declares
    allowed-tools: Read, Grep, Glob, Bash, Task and is read-only by design.
    Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_MCP_MALICIOUS_RESPONSE (Allowed: False positive - this skill's purpose is to TEACH a reviewer how to find
    GitHub Actions exploits. Its SKILL.md necessarily contains the attack
    patterns it's looking for: pull_request_target, issue_comment with
    command parsing, ${{ }} in run: blocks, permissions: misconfig,
    run: step exec, etc. ATR_MCP_MALICIOUS_RESPONSE matches these in the
    skill's instructional/reference text. None of these are commands the
    agent is being told to run — they are descriptions of vulnerabilities to
    identify. Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_MCP_MALICIOUS_RESPONSE (Allowed: False positive - this skill's purpose is to TEACH a reviewer how to find
    GitHub Actions exploits. Its SKILL.md necessarily contains the attack
    patterns it's looking for: pull_request_target, issue_comment with
    command parsing, ${{ }} in run: blocks, permissions: misconfig,
    run: step exec, etc. ATR_MCP_MALICIOUS_RESPONSE matches these in the
    skill's instructional/reference text. None of these are commands the
    agent is being told to run — they are descriptions of vulnerabilities to
    identify. Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, shell, exec,
    Eval, Pay in "Payload", checkout) inside a skill that documents how
    to spot CI exploitation. These are documentation strings, not tool calls
    the agent is instructed to make. The skill itself declares
    allowed-tools: Read, Grep, Glob, Bash, Task and is read-only by design.
    Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, shell, exec,
    Eval, Pay in "Payload", checkout) inside a skill that documents how
    to spot CI exploitation. These are documentation strings, not tool calls
    the agent is instructed to make. The skill itself declares
    allowed-tools: Read, Grep, Glob, Bash, Task and is read-only by design.
    Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_MCP_MALICIOUS_RESPONSE (Allowed: False positive - this skill's purpose is to TEACH a reviewer how to find
    GitHub Actions exploits. Its SKILL.md necessarily contains the attack
    patterns it's looking for: pull_request_target, issue_comment with
    command parsing, ${{ }} in run: blocks, permissions: misconfig,
    run: step exec, etc. ATR_MCP_MALICIOUS_RESPONSE matches these in the
    skill's instructional/reference text. None of these are commands the
    agent is being told to run — they are descriptions of vulnerabilities to
    identify. Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_CROSS_AGENT_ATTACK (Allowed: False positive - matches Run() / run(self) in references/pwn-request.md
    example code that demonstrates how a malicious workflow step would run.
    Documentation of attack code, not a multi-agent attack itself. Verified
    at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_MCP_MALICIOUS_RESPONSE (Allowed: False positive - this skill's purpose is to TEACH a reviewer how to find
    GitHub Actions exploits. Its SKILL.md necessarily contains the attack
    patterns it's looking for: pull_request_target, issue_comment with
    command parsing, ${{ }} in run: blocks, permissions: misconfig,
    run: step exec, etc. ATR_MCP_MALICIOUS_RESPONSE matches these in the
    skill's instructional/reference text. None of these are commands the
    agent is being told to run — they are descriptions of vulnerabilities to
    identify. Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_SUPPLY_CHAIN_POISONING (Allowed: False positive (14 hits) - matches curl https://attacker...,
    curl -sSfL ...attacker, "request content, attacker", "HTTP exfil",
    and similar attack-pattern strings inside the skill's reference docs
    (references/ai-prompt-injection-via-ci.md, comment-triggered-commands.md,
    credential-escalation.md, expression-injection.md, pwn-request.md).
    These are deliberate hostile-payload examples included so the skill can
    teach reviewers what supply-chain poisoning looks like in CI. They are
    not commands the agent runs. Verified at digest
    5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, shell, exec,
    Eval, Pay in "Payload", checkout) inside a skill that documents how
    to spot CI exploitation. These are documentation strings, not tool calls
    the agent is instructed to make. The skill itself declares
    allowed-tools: Read, Grep, Glob, Bash, Task and is read-only by design.
    Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_MCP_MALICIOUS_RESPONSE (Allowed: False positive - this skill's purpose is to TEACH a reviewer how to find
    GitHub Actions exploits. Its SKILL.md necessarily contains the attack
    patterns it's looking for: pull_request_target, issue_comment with
    command parsing, ${{ }} in run: blocks, permissions: misconfig,
    run: step exec, etc. ATR_MCP_MALICIOUS_RESPONSE matches these in the
    skill's instructional/reference text. None of these are commands the
    agent is being told to run — they are descriptions of vulnerabilities to
    identify. Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_CROSS_AGENT_ATTACK (Allowed: False positive - matches Run() / run(self) in references/pwn-request.md
    example code that demonstrates how a malicious workflow step would run.
    Documentation of attack code, not a multi-agent attack itself. Verified
    at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_SUPPLY_CHAIN_POISONING (Allowed: False positive (14 hits) - matches curl https://attacker...,
    curl -sSfL ...attacker, "request content, attacker", "HTTP exfil",
    and similar attack-pattern strings inside the skill's reference docs
    (references/ai-prompt-injection-via-ci.md, comment-triggered-commands.md,
    credential-escalation.md, expression-injection.md, pwn-request.md).
    These are deliberate hostile-payload examples included so the skill can
    teach reviewers what supply-chain poisoning looks like in CI. They are
    not commands the agent runs. Verified at digest
    5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_CROSS_AGENT_ATTACK (Allowed: False positive - matches Run() / run(self) in references/pwn-request.md
    example code that demonstrates how a malicious workflow step would run.
    Documentation of attack code, not a multi-agent attack itself. Verified
    at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, shell, exec,
    Eval, Pay in "Payload", checkout) inside a skill that documents how
    to spot CI exploitation. These are documentation strings, not tool calls
    the agent is instructed to make. The skill itself declares
    allowed-tools: Read, Grep, Glob, Bash, Task and is read-only by design.
    Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_SUPPLY_CHAIN_POISONING (Allowed: False positive (14 hits) - matches curl https://attacker...,
    curl -sSfL ...attacker, "request content, attacker", "HTTP exfil",
    and similar attack-pattern strings inside the skill's reference docs
    (references/ai-prompt-injection-via-ci.md, comment-triggered-commands.md,
    credential-escalation.md, expression-injection.md, pwn-request.md).
    These are deliberate hostile-payload examples included so the skill can
    teach reviewers what supply-chain poisoning looks like in CI. They are
    not commands the agent runs. Verified at digest
    5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, shell, exec,
    Eval, Pay in "Payload", checkout) inside a skill that documents how
    to spot CI exploitation. These are documentation strings, not tool calls
    the agent is instructed to make. The skill itself declares
    allowed-tools: Read, Grep, Glob, Bash, Task and is read-only by design.
    Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, shell, exec,
    Eval, Pay in "Payload", checkout) inside a skill that documents how
    to spot CI exploitation. These are documentation strings, not tool calls
    the agent is instructed to make. The skill itself declares
    allowed-tools: Read, Grep, Glob, Bash, Task and is read-only by design.
    Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, shell, exec,
    Eval, Pay in "Payload", checkout) inside a skill that documents how
    to spot CI exploitation. These are documentation strings, not tool calls
    the agent is instructed to make. The skill itself declares
    allowed-tools: Read, Grep, Glob, Bash, Task and is read-only by design.
    Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, shell, exec,
    Eval, Pay in "Payload", checkout) inside a skill that documents how
    to spot CI exploitation. These are documentation strings, not tool calls
    the agent is instructed to make. The skill itself declares
    allowed-tools: Read, Grep, Glob, Bash, Task and is read-only by design.
    Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, shell, exec,
    Eval, Pay in "Payload", checkout) inside a skill that documents how
    to spot CI exploitation. These are documentation strings, not tool calls
    the agent is instructed to make. The skill itself declares
    allowed-tools: Read, Grep, Glob, Bash, Task and is read-only by design.
    Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_SUPPLY_CHAIN_POISONING (Allowed: False positive (14 hits) - matches curl https://attacker...,
    curl -sSfL ...attacker, "request content, attacker", "HTTP exfil",
    and similar attack-pattern strings inside the skill's reference docs
    (references/ai-prompt-injection-via-ci.md, comment-triggered-commands.md,
    credential-escalation.md, expression-injection.md, pwn-request.md).
    These are deliberate hostile-payload examples included so the skill can
    teach reviewers what supply-chain poisoning looks like in CI. They are
    not commands the agent runs. Verified at digest
    5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_MCP_MALICIOUS_RESPONSE (Allowed: False positive - this skill's purpose is to TEACH a reviewer how to find
    GitHub Actions exploits. Its SKILL.md necessarily contains the attack
    patterns it's looking for: pull_request_target, issue_comment with
    command parsing, ${{ }} in run: blocks, permissions: misconfig,
    run: step exec, etc. ATR_MCP_MALICIOUS_RESPONSE matches these in the
    skill's instructional/reference text. None of these are commands the
    agent is being told to run — they are descriptions of vulnerabilities to
    identify. Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, shell, exec,
    Eval, Pay in "Payload", checkout) inside a skill that documents how
    to spot CI exploitation. These are documentation strings, not tool calls
    the agent is instructed to make. The skill itself declares
    allowed-tools: Read, Grep, Glob, Bash, Task and is read-only by design.
    Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, shell, exec,
    Eval, Pay in "Payload", checkout) inside a skill that documents how
    to spot CI exploitation. These are documentation strings, not tool calls
    the agent is instructed to make. The skill itself declares
    allowed-tools: Read, Grep, Glob, Bash, Task and is read-only by design.
    Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, shell, exec,
    Eval, Pay in "Payload", checkout) inside a skill that documents how
    to spot CI exploitation. These are documentation strings, not tool calls
    the agent is instructed to make. The skill itself declares
    allowed-tools: Read, Grep, Glob, Bash, Task and is read-only by design.
    Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, shell, exec,
    Eval, Pay in "Payload", checkout) inside a skill that documents how
    to spot CI exploitation. These are documentation strings, not tool calls
    the agent is instructed to make. The skill itself declares
    allowed-tools: Read, Grep, Glob, Bash, Task and is read-only by design.
    Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, shell, exec,
    Eval, Pay in "Payload", checkout) inside a skill that documents how
    to spot CI exploitation. These are documentation strings, not tool calls
    the agent is instructed to make. The skill itself declares
    allowed-tools: Read, Grep, Glob, Bash, Task and is read-only by design.
    Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, shell, exec,
    Eval, Pay in "Payload", checkout) inside a skill that documents how
    to spot CI exploitation. These are documentation strings, not tool calls
    the agent is instructed to make. The skill itself declares
    allowed-tools: Read, Grep, Glob, Bash, Task and is read-only by design.
    Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, shell, exec,
    Eval, Pay in "Payload", checkout) inside a skill that documents how
    to spot CI exploitation. These are documentation strings, not tool calls
    the agent is instructed to make. The skill itself declares
    allowed-tools: Read, Grep, Glob, Bash, Task and is read-only by design.
    Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, shell, exec,
    Eval, Pay in "Payload", checkout) inside a skill that documents how
    to spot CI exploitation. These are documentation strings, not tool calls
    the agent is instructed to make. The skill itself declares
    allowed-tools: Read, Grep, Glob, Bash, Task and is read-only by design.
    Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, shell, exec,
    Eval, Pay in "Payload", checkout) inside a skill that documents how
    to spot CI exploitation. These are documentation strings, not tool calls
    the agent is instructed to make. The skill itself declares
    allowed-tools: Read, Grep, Glob, Bash, Task and is read-only by design.
    Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, shell, exec,
    Eval, Pay in "Payload", checkout) inside a skill that documents how
    to spot CI exploitation. These are documentation strings, not tool calls
    the agent is instructed to make. The skill itself declares
    allowed-tools: Read, Grep, Glob, Bash, Task and is read-only by design.
    Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_MCP_MALICIOUS_RESPONSE (Allowed: False positive - this skill's purpose is to TEACH a reviewer how to find
    GitHub Actions exploits. Its SKILL.md necessarily contains the attack
    patterns it's looking for: pull_request_target, issue_comment with
    command parsing, ${{ }} in run: blocks, permissions: misconfig,
    run: step exec, etc. ATR_MCP_MALICIOUS_RESPONSE matches these in the
    skill's instructional/reference text. None of these are commands the
    agent is being told to run — they are descriptions of vulnerabilities to
    identify. Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • PIPELINE_TAINT_FLOW (Allowed: The skill's reference material cites curl | bash and similar RCE patterns as instructional examples of supply-chain-style attacks detectable in CI workflows. The scanner itself flags these as 'found in documentation file — may be instructional rather than executable'.)
  • PIPELINE_TAINT_FLOW (Allowed: The skill's reference material cites curl | bash and similar RCE patterns as instructional examples of supply-chain-style attacks detectable in CI workflows. The scanner itself flags these as 'found in documentation file — may be instructional rather than executable'.)
  • PIPELINE_TAINT_FLOW (Allowed: The skill's reference material cites curl | bash and similar RCE patterns as instructional examples of supply-chain-style attacks detectable in CI workflows. The scanner itself flags these as 'found in documentation file — may be instructional rather than executable'.)
  • ATR_MCP_MALICIOUS_RESPONSE (Allowed: False positive - this skill's purpose is to TEACH a reviewer how to find
    GitHub Actions exploits. Its SKILL.md necessarily contains the attack
    patterns it's looking for: pull_request_target, issue_comment with
    command parsing, ${{ }} in run: blocks, permissions: misconfig,
    run: step exec, etc. ATR_MCP_MALICIOUS_RESPONSE matches these in the
    skill's instructional/reference text. None of these are commands the
    agent is being told to run — they are descriptions of vulnerabilities to
    identify. Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, shell, exec,
    Eval, Pay in "Payload", checkout) inside a skill that documents how
    to spot CI exploitation. These are documentation strings, not tool calls
    the agent is instructed to make. The skill itself declares
    allowed-tools: Read, Grep, Glob, Bash, Task and is read-only by design.
    Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, shell, exec,
    Eval, Pay in "Payload", checkout) inside a skill that documents how
    to spot CI exploitation. These are documentation strings, not tool calls
    the agent is instructed to make. The skill itself declares
    allowed-tools: Read, Grep, Glob, Bash, Task and is read-only by design.
    Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, shell, exec,
    Eval, Pay in "Payload", checkout) inside a skill that documents how
    to spot CI exploitation. These are documentation strings, not tool calls
    the agent is instructed to make. The skill itself declares
    allowed-tools: Read, Grep, Glob, Bash, Task and is read-only by design.
    Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_MCP_MALICIOUS_RESPONSE (Allowed: False positive - this skill's purpose is to TEACH a reviewer how to find
    GitHub Actions exploits. Its SKILL.md necessarily contains the attack
    patterns it's looking for: pull_request_target, issue_comment with
    command parsing, ${{ }} in run: blocks, permissions: misconfig,
    run: step exec, etc. ATR_MCP_MALICIOUS_RESPONSE matches these in the
    skill's instructional/reference text. None of these are commands the
    agent is being told to run — they are descriptions of vulnerabilities to
    identify. Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, shell, exec,
    Eval, Pay in "Payload", checkout) inside a skill that documents how
    to spot CI exploitation. These are documentation strings, not tool calls
    the agent is instructed to make. The skill itself declares
    allowed-tools: Read, Grep, Glob, Bash, Task and is read-only by design.
    Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_MCP_MALICIOUS_RESPONSE (Allowed: False positive - this skill's purpose is to TEACH a reviewer how to find
    GitHub Actions exploits. Its SKILL.md necessarily contains the attack
    patterns it's looking for: pull_request_target, issue_comment with
    command parsing, ${{ }} in run: blocks, permissions: misconfig,
    run: step exec, etc. ATR_MCP_MALICIOUS_RESPONSE matches these in the
    skill's instructional/reference text. None of these are commands the
    agent is being told to run — they are descriptions of vulnerabilities to
    identify. Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_MCP_MALICIOUS_RESPONSE (Allowed: False positive - this skill's purpose is to TEACH a reviewer how to find
    GitHub Actions exploits. Its SKILL.md necessarily contains the attack
    patterns it's looking for: pull_request_target, issue_comment with
    command parsing, ${{ }} in run: blocks, permissions: misconfig,
    run: step exec, etc. ATR_MCP_MALICIOUS_RESPONSE matches these in the
    skill's instructional/reference text. None of these are commands the
    agent is being told to run — they are descriptions of vulnerabilities to
    identify. Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, shell, exec,
    Eval, Pay in "Payload", checkout) inside a skill that documents how
    to spot CI exploitation. These are documentation strings, not tool calls
    the agent is instructed to make. The skill itself declares
    allowed-tools: Read, Grep, Glob, Bash, Task and is read-only by design.
    Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_MCP_MALICIOUS_RESPONSE (Allowed: False positive - this skill's purpose is to TEACH a reviewer how to find
    GitHub Actions exploits. Its SKILL.md necessarily contains the attack
    patterns it's looking for: pull_request_target, issue_comment with
    command parsing, ${{ }} in run: blocks, permissions: misconfig,
    run: step exec, etc. ATR_MCP_MALICIOUS_RESPONSE matches these in the
    skill's instructional/reference text. None of these are commands the
    agent is being told to run — they are descriptions of vulnerabilities to
    identify. Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_MCP_MALICIOUS_RESPONSE (Allowed: False positive - this skill's purpose is to TEACH a reviewer how to find
    GitHub Actions exploits. Its SKILL.md necessarily contains the attack
    patterns it's looking for: pull_request_target, issue_comment with
    command parsing, ${{ }} in run: blocks, permissions: misconfig,
    run: step exec, etc. ATR_MCP_MALICIOUS_RESPONSE matches these in the
    skill's instructional/reference text. None of these are commands the
    agent is being told to run — they are descriptions of vulnerabilities to
    identify. Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, shell, exec,
    Eval, Pay in "Payload", checkout) inside a skill that documents how
    to spot CI exploitation. These are documentation strings, not tool calls
    the agent is instructed to make. The skill itself declares
    allowed-tools: Read, Grep, Glob, Bash, Task and is read-only by design.
    Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_MCP_MALICIOUS_RESPONSE (Allowed: False positive - this skill's purpose is to TEACH a reviewer how to find
    GitHub Actions exploits. Its SKILL.md necessarily contains the attack
    patterns it's looking for: pull_request_target, issue_comment with
    command parsing, ${{ }} in run: blocks, permissions: misconfig,
    run: step exec, etc. ATR_MCP_MALICIOUS_RESPONSE matches these in the
    skill's instructional/reference text. None of these are commands the
    agent is being told to run — they are descriptions of vulnerabilities to
    identify. Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_MCP_MALICIOUS_RESPONSE (Allowed: False positive - this skill's purpose is to TEACH a reviewer how to find
    GitHub Actions exploits. Its SKILL.md necessarily contains the attack
    patterns it's looking for: pull_request_target, issue_comment with
    command parsing, ${{ }} in run: blocks, permissions: misconfig,
    run: step exec, etc. ATR_MCP_MALICIOUS_RESPONSE matches these in the
    skill's instructional/reference text. None of these are commands the
    agent is being told to run — they are descriptions of vulnerabilities to
    identify. Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, shell, exec,
    Eval, Pay in "Payload", checkout) inside a skill that documents how
    to spot CI exploitation. These are documentation strings, not tool calls
    the agent is instructed to make. The skill itself declares
    allowed-tools: Read, Grep, Glob, Bash, Task and is read-only by design.
    Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_MCP_MALICIOUS_RESPONSE (Allowed: False positive - this skill's purpose is to TEACH a reviewer how to find
    GitHub Actions exploits. Its SKILL.md necessarily contains the attack
    patterns it's looking for: pull_request_target, issue_comment with
    command parsing, ${{ }} in run: blocks, permissions: misconfig,
    run: step exec, etc. ATR_MCP_MALICIOUS_RESPONSE matches these in the
    skill's instructional/reference text. None of these are commands the
    agent is being told to run — they are descriptions of vulnerabilities to
    identify. Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, shell, exec,
    Eval, Pay in "Payload", checkout) inside a skill that documents how
    to spot CI exploitation. These are documentation strings, not tool calls
    the agent is instructed to make. The skill itself declares
    allowed-tools: Read, Grep, Glob, Bash, Task and is read-only by design.
    Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, shell, exec,
    Eval, Pay in "Payload", checkout) inside a skill that documents how
    to spot CI exploitation. These are documentation strings, not tool calls
    the agent is instructed to make. The skill itself declares
    allowed-tools: Read, Grep, Glob, Bash, Task and is read-only by design.
    Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, shell, exec,
    Eval, Pay in "Payload", checkout) inside a skill that documents how
    to spot CI exploitation. These are documentation strings, not tool calls
    the agent is instructed to make. The skill itself declares
    allowed-tools: Read, Grep, Glob, Bash, Task and is read-only by design.
    Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_MCP_MALICIOUS_RESPONSE (Allowed: False positive - this skill's purpose is to TEACH a reviewer how to find
    GitHub Actions exploits. Its SKILL.md necessarily contains the attack
    patterns it's looking for: pull_request_target, issue_comment with
    command parsing, ${{ }} in run: blocks, permissions: misconfig,
    run: step exec, etc. ATR_MCP_MALICIOUS_RESPONSE matches these in the
    skill's instructional/reference text. None of these are commands the
    agent is being told to run — they are descriptions of vulnerabilities to
    identify. Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_MCP_MALICIOUS_RESPONSE (Allowed: False positive - this skill's purpose is to TEACH a reviewer how to find
    GitHub Actions exploits. Its SKILL.md necessarily contains the attack
    patterns it's looking for: pull_request_target, issue_comment with
    command parsing, ${{ }} in run: blocks, permissions: misconfig,
    run: step exec, etc. ATR_MCP_MALICIOUS_RESPONSE matches these in the
    skill's instructional/reference text. None of these are commands the
    agent is being told to run — they are descriptions of vulnerabilities to
    identify. Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_MCP_MALICIOUS_RESPONSE (Allowed: False positive - this skill's purpose is to TEACH a reviewer how to find
    GitHub Actions exploits. Its SKILL.md necessarily contains the attack
    patterns it's looking for: pull_request_target, issue_comment with
    command parsing, ${{ }} in run: blocks, permissions: misconfig,
    run: step exec, etc. ATR_MCP_MALICIOUS_RESPONSE matches these in the
    skill's instructional/reference text. None of these are commands the
    agent is being told to run — they are descriptions of vulnerabilities to
    identify. Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_MCP_MALICIOUS_RESPONSE (Allowed: False positive - this skill's purpose is to TEACH a reviewer how to find
    GitHub Actions exploits. Its SKILL.md necessarily contains the attack
    patterns it's looking for: pull_request_target, issue_comment with
    command parsing, ${{ }} in run: blocks, permissions: misconfig,
    run: step exec, etc. ATR_MCP_MALICIOUS_RESPONSE matches these in the
    skill's instructional/reference text. None of these are commands the
    agent is being told to run — they are descriptions of vulnerabilities to
    identify. Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, shell, exec,
    Eval, Pay in "Payload", checkout) inside a skill that documents how
    to spot CI exploitation. These are documentation strings, not tool calls
    the agent is instructed to make. The skill itself declares
    allowed-tools: Read, Grep, Glob, Bash, Task and is read-only by design.
    Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, shell, exec,
    Eval, Pay in "Payload", checkout) inside a skill that documents how
    to spot CI exploitation. These are documentation strings, not tool calls
    the agent is instructed to make. The skill itself declares
    allowed-tools: Read, Grep, Glob, Bash, Task and is read-only by design.
    Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, shell, exec,
    Eval, Pay in "Payload", checkout) inside a skill that documents how
    to spot CI exploitation. These are documentation strings, not tool calls
    the agent is instructed to make. The skill itself declares
    allowed-tools: Read, Grep, Glob, Bash, Task and is read-only by design.
    Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_MCP_MALICIOUS_RESPONSE (Allowed: False positive - this skill's purpose is to TEACH a reviewer how to find
    GitHub Actions exploits. Its SKILL.md necessarily contains the attack
    patterns it's looking for: pull_request_target, issue_comment with
    command parsing, ${{ }} in run: blocks, permissions: misconfig,
    run: step exec, etc. ATR_MCP_MALICIOUS_RESPONSE matches these in the
    skill's instructional/reference text. None of these are commands the
    agent is being told to run — they are descriptions of vulnerabilities to
    identify. Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, shell, exec,
    Eval, Pay in "Payload", checkout) inside a skill that documents how
    to spot CI exploitation. These are documentation strings, not tool calls
    the agent is instructed to make. The skill itself declares
    allowed-tools: Read, Grep, Glob, Bash, Task and is read-only by design.
    Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, shell, exec,
    Eval, Pay in "Payload", checkout) inside a skill that documents how
    to spot CI exploitation. These are documentation strings, not tool calls
    the agent is instructed to make. The skill itself declares
    allowed-tools: Read, Grep, Glob, Bash, Task and is read-only by design.
    Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, shell, exec,
    Eval, Pay in "Payload", checkout) inside a skill that documents how
    to spot CI exploitation. These are documentation strings, not tool calls
    the agent is instructed to make. The skill itself declares
    allowed-tools: Read, Grep, Glob, Bash, Task and is read-only by design.
    Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_CONSENSUS_POISONING (Allowed: False positive - matches "fake approval" in references/ai-prompt-injection-via-ci.md,
    which describes the fake-approval/consensus-poisoning attack pattern as
    something a CI reviewer should look for. Documentation, not poisoning.
    Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, shell, exec,
    Eval, Pay in "Payload", checkout) inside a skill that documents how
    to spot CI exploitation. These are documentation strings, not tool calls
    the agent is instructed to make. The skill itself declares
    allowed-tools: Read, Grep, Glob, Bash, Task and is read-only by design.
    Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, shell, exec,
    Eval, Pay in "Payload", checkout) inside a skill that documents how
    to spot CI exploitation. These are documentation strings, not tool calls
    the agent is instructed to make. The skill itself declares
    allowed-tools: Read, Grep, Glob, Bash, Task and is read-only by design.
    Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, shell, exec,
    Eval, Pay in "Payload", checkout) inside a skill that documents how
    to spot CI exploitation. These are documentation strings, not tool calls
    the agent is instructed to make. The skill itself declares
    allowed-tools: Read, Grep, Glob, Bash, Task and is read-only by design.
    Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_MCP_MALICIOUS_RESPONSE (Allowed: False positive - this skill's purpose is to TEACH a reviewer how to find
    GitHub Actions exploits. Its SKILL.md necessarily contains the attack
    patterns it's looking for: pull_request_target, issue_comment with
    command parsing, ${{ }} in run: blocks, permissions: misconfig,
    run: step exec, etc. ATR_MCP_MALICIOUS_RESPONSE matches these in the
    skill's instructional/reference text. None of these are commands the
    agent is being told to run — they are descriptions of vulnerabilities to
    identify. Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, shell, exec,
    Eval, Pay in "Payload", checkout) inside a skill that documents how
    to spot CI exploitation. These are documentation strings, not tool calls
    the agent is instructed to make. The skill itself declares
    allowed-tools: Read, Grep, Glob, Bash, Task and is read-only by design.
    Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_MCP_MALICIOUS_RESPONSE (Allowed: False positive - this skill's purpose is to TEACH a reviewer how to find
    GitHub Actions exploits. Its SKILL.md necessarily contains the attack
    patterns it's looking for: pull_request_target, issue_comment with
    command parsing, ${{ }} in run: blocks, permissions: misconfig,
    run: step exec, etc. ATR_MCP_MALICIOUS_RESPONSE matches these in the
    skill's instructional/reference text. None of these are commands the
    agent is being told to run — they are descriptions of vulnerabilities to
    identify. Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_MCP_MALICIOUS_RESPONSE (Allowed: False positive - this skill's purpose is to TEACH a reviewer how to find
    GitHub Actions exploits. Its SKILL.md necessarily contains the attack
    patterns it's looking for: pull_request_target, issue_comment with
    command parsing, ${{ }} in run: blocks, permissions: misconfig,
    run: step exec, etc. ATR_MCP_MALICIOUS_RESPONSE matches these in the
    skill's instructional/reference text. None of these are commands the
    agent is being told to run — they are descriptions of vulnerabilities to
    identify. Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, shell, exec,
    Eval, Pay in "Payload", checkout) inside a skill that documents how
    to spot CI exploitation. These are documentation strings, not tool calls
    the agent is instructed to make. The skill itself declares
    allowed-tools: Read, Grep, Glob, Bash, Task and is read-only by design.
    Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_MCP_MALICIOUS_RESPONSE (Allowed: False positive - this skill's purpose is to TEACH a reviewer how to find
    GitHub Actions exploits. Its SKILL.md necessarily contains the attack
    patterns it's looking for: pull_request_target, issue_comment with
    command parsing, ${{ }} in run: blocks, permissions: misconfig,
    run: step exec, etc. ATR_MCP_MALICIOUS_RESPONSE matches these in the
    skill's instructional/reference text. None of these are commands the
    agent is being told to run — they are descriptions of vulnerabilities to
    identify. Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, shell, exec,
    Eval, Pay in "Payload", checkout) inside a skill that documents how
    to spot CI exploitation. These are documentation strings, not tool calls
    the agent is instructed to make. The skill itself declares
    allowed-tools: Read, Grep, Glob, Bash, Task and is read-only by design.
    Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_MCP_MALICIOUS_RESPONSE (Allowed: False positive - this skill's purpose is to TEACH a reviewer how to find
    GitHub Actions exploits. Its SKILL.md necessarily contains the attack
    patterns it's looking for: pull_request_target, issue_comment with
    command parsing, ${{ }} in run: blocks, permissions: misconfig,
    run: step exec, etc. ATR_MCP_MALICIOUS_RESPONSE matches these in the
    skill's instructional/reference text. None of these are commands the
    agent is being told to run — they are descriptions of vulnerabilities to
    identify. Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, shell, exec,
    Eval, Pay in "Payload", checkout) inside a skill that documents how
    to spot CI exploitation. These are documentation strings, not tool calls
    the agent is instructed to make. The skill itself declares
    allowed-tools: Read, Grep, Glob, Bash, Task and is read-only by design.
    Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, shell, exec,
    Eval, Pay in "Payload", checkout) inside a skill that documents how
    to spot CI exploitation. These are documentation strings, not tool calls
    the agent is instructed to make. The skill itself declares
    allowed-tools: Read, Grep, Glob, Bash, Task and is read-only by design.
    Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_MCP_MALICIOUS_RESPONSE (Allowed: False positive - this skill's purpose is to TEACH a reviewer how to find
    GitHub Actions exploits. Its SKILL.md necessarily contains the attack
    patterns it's looking for: pull_request_target, issue_comment with
    command parsing, ${{ }} in run: blocks, permissions: misconfig,
    run: step exec, etc. ATR_MCP_MALICIOUS_RESPONSE matches these in the
    skill's instructional/reference text. None of these are commands the
    agent is being told to run — they are descriptions of vulnerabilities to
    identify. Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_SUPPLY_CHAIN_POISONING (Allowed: False positive (14 hits) - matches curl https://attacker...,
    curl -sSfL ...attacker, "request content, attacker", "HTTP exfil",
    and similar attack-pattern strings inside the skill's reference docs
    (references/ai-prompt-injection-via-ci.md, comment-triggered-commands.md,
    credential-escalation.md, expression-injection.md, pwn-request.md).
    These are deliberate hostile-payload examples included so the skill can
    teach reviewers what supply-chain poisoning looks like in CI. They are
    not commands the agent runs. Verified at digest
    5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, shell, exec,
    Eval, Pay in "Payload", checkout) inside a skill that documents how
    to spot CI exploitation. These are documentation strings, not tool calls
    the agent is instructed to make. The skill itself declares
    allowed-tools: Read, Grep, Glob, Bash, Task and is read-only by design.
    Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_MCP_MALICIOUS_RESPONSE (Allowed: False positive - this skill's purpose is to TEACH a reviewer how to find
    GitHub Actions exploits. Its SKILL.md necessarily contains the attack
    patterns it's looking for: pull_request_target, issue_comment with
    command parsing, ${{ }} in run: blocks, permissions: misconfig,
    run: step exec, etc. ATR_MCP_MALICIOUS_RESPONSE matches these in the
    skill's instructional/reference text. None of these are commands the
    agent is being told to run — they are descriptions of vulnerabilities to
    identify. Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_MCP_MALICIOUS_RESPONSE (Allowed: False positive - this skill's purpose is to TEACH a reviewer how to find
    GitHub Actions exploits. Its SKILL.md necessarily contains the attack
    patterns it's looking for: pull_request_target, issue_comment with
    command parsing, ${{ }} in run: blocks, permissions: misconfig,
    run: step exec, etc. ATR_MCP_MALICIOUS_RESPONSE matches these in the
    skill's instructional/reference text. None of these are commands the
    agent is being told to run — they are descriptions of vulnerabilities to
    identify. Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_MCP_MALICIOUS_RESPONSE (Allowed: False positive - this skill's purpose is to TEACH a reviewer how to find
    GitHub Actions exploits. Its SKILL.md necessarily contains the attack
    patterns it's looking for: pull_request_target, issue_comment with
    command parsing, ${{ }} in run: blocks, permissions: misconfig,
    run: step exec, etc. ATR_MCP_MALICIOUS_RESPONSE matches these in the
    skill's instructional/reference text. None of these are commands the
    agent is being told to run — they are descriptions of vulnerabilities to
    identify. Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_TOOL_SSRF (Allowed: False positive - matches ::1 / loopback / metadata-host strings in
    the skill's reference docs about credential escalation and SSRF in
    GHA. Same root cause as ATR_SUPPLY_CHAIN_POISONING above: the skill
    documents SSRF attack patterns as part of teaching the reviewer to
    find them. Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_TOOL_SSRF (Allowed: False positive - matches ::1 / loopback / metadata-host strings in
    the skill's reference docs about credential escalation and SSRF in
    GHA. Same root cause as ATR_SUPPLY_CHAIN_POISONING above: the skill
    documents SSRF attack patterns as part of teaching the reviewer to
    find them. Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_MCP_MALICIOUS_RESPONSE (Allowed: False positive - this skill's purpose is to TEACH a reviewer how to find
    GitHub Actions exploits. Its SKILL.md necessarily contains the attack
    patterns it's looking for: pull_request_target, issue_comment with
    command parsing, ${{ }} in run: blocks, permissions: misconfig,
    run: step exec, etc. ATR_MCP_MALICIOUS_RESPONSE matches these in the
    skill's instructional/reference text. None of these are commands the
    agent is being told to run — they are descriptions of vulnerabilities to
    identify. Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, shell, exec,
    Eval, Pay in "Payload", checkout) inside a skill that documents how
    to spot CI exploitation. These are documentation strings, not tool calls
    the agent is instructed to make. The skill itself declares
    allowed-tools: Read, Grep, Glob, Bash, Task and is read-only by design.
    Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, shell, exec,
    Eval, Pay in "Payload", checkout) inside a skill that documents how
    to spot CI exploitation. These are documentation strings, not tool calls
    the agent is instructed to make. The skill itself declares
    allowed-tools: Read, Grep, Glob, Bash, Task and is read-only by design.
    Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_MCP_MALICIOUS_RESPONSE (Allowed: False positive - this skill's purpose is to TEACH a reviewer how to find
    GitHub Actions exploits. Its SKILL.md necessarily contains the attack
    patterns it's looking for: pull_request_target, issue_comment with
    command parsing, ${{ }} in run: blocks, permissions: misconfig,
    run: step exec, etc. ATR_MCP_MALICIOUS_RESPONSE matches these in the
    skill's instructional/reference text. None of these are commands the
    agent is being told to run — they are descriptions of vulnerabilities to
    identify. Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_MCP_MALICIOUS_RESPONSE (Allowed: False positive - this skill's purpose is to TEACH a reviewer how to find
    GitHub Actions exploits. Its SKILL.md necessarily contains the attack
    patterns it's looking for: pull_request_target, issue_comment with
    command parsing, ${{ }} in run: blocks, permissions: misconfig,
    run: step exec, etc. ATR_MCP_MALICIOUS_RESPONSE matches these in the
    skill's instructional/reference text. None of these are commands the
    agent is being told to run — they are descriptions of vulnerabilities to
    identify. Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, shell, exec,
    Eval, Pay in "Payload", checkout) inside a skill that documents how
    to spot CI exploitation. These are documentation strings, not tool calls
    the agent is instructed to make. The skill itself declares
    allowed-tools: Read, Grep, Glob, Bash, Task and is read-only by design.
    Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_MCP_MALICIOUS_RESPONSE (Allowed: False positive - this skill's purpose is to TEACH a reviewer how to find
    GitHub Actions exploits. Its SKILL.md necessarily contains the attack
    patterns it's looking for: pull_request_target, issue_comment with
    command parsing, ${{ }} in run: blocks, permissions: misconfig,
    run: step exec, etc. ATR_MCP_MALICIOUS_RESPONSE matches these in the
    skill's instructional/reference text. None of these are commands the
    agent is being told to run — they are descriptions of vulnerabilities to
    identify. Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, shell, exec,
    Eval, Pay in "Payload", checkout) inside a skill that documents how
    to spot CI exploitation. These are documentation strings, not tool calls
    the agent is instructed to make. The skill itself declares
    allowed-tools: Read, Grep, Glob, Bash, Task and is read-only by design.
    Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, shell, exec,
    Eval, Pay in "Payload", checkout) inside a skill that documents how
    to spot CI exploitation. These are documentation strings, not tool calls
    the agent is instructed to make. The skill itself declares
    allowed-tools: Read, Grep, Glob, Bash, Task and is read-only by design.
    Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_MCP_MALICIOUS_RESPONSE (Allowed: False positive - this skill's purpose is to TEACH a reviewer how to find
    GitHub Actions exploits. Its SKILL.md necessarily contains the attack
    patterns it's looking for: pull_request_target, issue_comment with
    command parsing, ${{ }} in run: blocks, permissions: misconfig,
    run: step exec, etc. ATR_MCP_MALICIOUS_RESPONSE matches these in the
    skill's instructional/reference text. None of these are commands the
    agent is being told to run — they are descriptions of vulnerabilities to
    identify. Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_MCP_MALICIOUS_RESPONSE (Allowed: False positive - this skill's purpose is to TEACH a reviewer how to find
    GitHub Actions exploits. Its SKILL.md necessarily contains the attack
    patterns it's looking for: pull_request_target, issue_comment with
    command parsing, ${{ }} in run: blocks, permissions: misconfig,
    run: step exec, etc. ATR_MCP_MALICIOUS_RESPONSE matches these in the
    skill's instructional/reference text. None of these are commands the
    agent is being told to run — they are descriptions of vulnerabilities to
    identify. Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_MCP_MALICIOUS_RESPONSE (Allowed: False positive - this skill's purpose is to TEACH a reviewer how to find
    GitHub Actions exploits. Its SKILL.md necessarily contains the attack
    patterns it's looking for: pull_request_target, issue_comment with
    command parsing, ${{ }} in run: blocks, permissions: misconfig,
    run: step exec, etc. ATR_MCP_MALICIOUS_RESPONSE matches these in the
    skill's instructional/reference text. None of these are commands the
    agent is being told to run — they are descriptions of vulnerabilities to
    identify. Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, shell, exec,
    Eval, Pay in "Payload", checkout) inside a skill that documents how
    to spot CI exploitation. These are documentation strings, not tool calls
    the agent is instructed to make. The skill itself declares
    allowed-tools: Read, Grep, Glob, Bash, Task and is read-only by design.
    Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, shell, exec,
    Eval, Pay in "Payload", checkout) inside a skill that documents how
    to spot CI exploitation. These are documentation strings, not tool calls
    the agent is instructed to make. The skill itself declares
    allowed-tools: Read, Grep, Glob, Bash, Task and is read-only by design.
    Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, shell, exec,
    Eval, Pay in "Payload", checkout) inside a skill that documents how
    to spot CI exploitation. These are documentation strings, not tool calls
    the agent is instructed to make. The skill itself declares
    allowed-tools: Read, Grep, Glob, Bash, Task and is read-only by design.
    Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, shell, exec,
    Eval, Pay in "Payload", checkout) inside a skill that documents how
    to spot CI exploitation. These are documentation strings, not tool calls
    the agent is instructed to make. The skill itself declares
    allowed-tools: Read, Grep, Glob, Bash, Task and is read-only by design.
    Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, shell, exec,
    Eval, Pay in "Payload", checkout) inside a skill that documents how
    to spot CI exploitation. These are documentation strings, not tool calls
    the agent is instructed to make. The skill itself declares
    allowed-tools: Read, Grep, Glob, Bash, Task and is read-only by design.
    Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, shell, exec,
    Eval, Pay in "Payload", checkout) inside a skill that documents how
    to spot CI exploitation. These are documentation strings, not tool calls
    the agent is instructed to make. The skill itself declares
    allowed-tools: Read, Grep, Glob, Bash, Task and is read-only by design.
    Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, shell, exec,
    Eval, Pay in "Payload", checkout) inside a skill that documents how
    to spot CI exploitation. These are documentation strings, not tool calls
    the agent is instructed to make. The skill itself declares
    allowed-tools: Read, Grep, Glob, Bash, Task and is read-only by design.
    Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_MCP_MALICIOUS_RESPONSE (Allowed: False positive - this skill's purpose is to TEACH a reviewer how to find
    GitHub Actions exploits. Its SKILL.md necessarily contains the attack
    patterns it's looking for: pull_request_target, issue_comment with
    command parsing, ${{ }} in run: blocks, permissions: misconfig,
    run: step exec, etc. ATR_MCP_MALICIOUS_RESPONSE matches these in the
    skill's instructional/reference text. None of these are commands the
    agent is being told to run — they are descriptions of vulnerabilities to
    identify. Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, shell, exec,
    Eval, Pay in "Payload", checkout) inside a skill that documents how
    to spot CI exploitation. These are documentation strings, not tool calls
    the agent is instructed to make. The skill itself declares
    allowed-tools: Read, Grep, Glob, Bash, Task and is read-only by design.
    Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_MCP_MALICIOUS_RESPONSE (Allowed: False positive - this skill's purpose is to TEACH a reviewer how to find
    GitHub Actions exploits. Its SKILL.md necessarily contains the attack
    patterns it's looking for: pull_request_target, issue_comment with
    command parsing, ${{ }} in run: blocks, permissions: misconfig,
    run: step exec, etc. ATR_MCP_MALICIOUS_RESPONSE matches these in the
    skill's instructional/reference text. None of these are commands the
    agent is being told to run — they are descriptions of vulnerabilities to
    identify. Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, shell, exec,
    Eval, Pay in "Payload", checkout) inside a skill that documents how
    to spot CI exploitation. These are documentation strings, not tool calls
    the agent is instructed to make. The skill itself declares
    allowed-tools: Read, Grep, Glob, Bash, Task and is read-only by design.
    Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_MCP_MALICIOUS_RESPONSE (Allowed: False positive - this skill's purpose is to TEACH a reviewer how to find
    GitHub Actions exploits. Its SKILL.md necessarily contains the attack
    patterns it's looking for: pull_request_target, issue_comment with
    command parsing, ${{ }} in run: blocks, permissions: misconfig,
    run: step exec, etc. ATR_MCP_MALICIOUS_RESPONSE matches these in the
    skill's instructional/reference text. None of these are commands the
    agent is being told to run — they are descriptions of vulnerabilities to
    identify. Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, shell, exec,
    Eval, Pay in "Payload", checkout) inside a skill that documents how
    to spot CI exploitation. These are documentation strings, not tool calls
    the agent is instructed to make. The skill itself declares
    allowed-tools: Read, Grep, Glob, Bash, Task and is read-only by design.
    Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, shell, exec,
    Eval, Pay in "Payload", checkout) inside a skill that documents how
    to spot CI exploitation. These are documentation strings, not tool calls
    the agent is instructed to make. The skill itself declares
    allowed-tools: Read, Grep, Glob, Bash, Task and is read-only by design.
    Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, shell, exec,
    Eval, Pay in "Payload", checkout) inside a skill that documents how
    to spot CI exploitation. These are documentation strings, not tool calls
    the agent is instructed to make. The skill itself declares
    allowed-tools: Read, Grep, Glob, Bash, Task and is read-only by design.
    Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, shell, exec,
    Eval, Pay in "Payload", checkout) inside a skill that documents how
    to spot CI exploitation. These are documentation strings, not tool calls
    the agent is instructed to make. The skill itself declares
    allowed-tools: Read, Grep, Glob, Bash, Task and is read-only by design.
    Verified at digest 5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )

✅ iterate-pr

• Status: Passed
• Findings: 6
• Allowed (not blocking): 2
  • MANIFEST_MISSING_LICENSE (Allowed: getsentry/skills is licensed Apache-2.0 at the repository root; upstream does not embed an SPDX license identifier in per-skill SKILL.md frontmatter.)
  • RESOURCE_ABUSE_INFINITE_LOOP (Allowed: The scripts/monitor_pr_checks.py helper polls PR check status in a while True: loop with bounded retries and sleep — legitimate for waiting until CI reaches a terminal state. The script has a timeout and exit conditions.)

✅ pr-writer

• Status: Passed
• Findings: 3
• Allowed (not blocking): 1
  • MANIFEST_MISSING_LICENSE (Allowed: getsentry/skills is licensed Apache-2.0 at the repository root; upstream does not embed an SPDX license identifier in per-skill SKILL.md frontmatter.)

✅ prompt-optimizer

• Status: Passed
• Findings: 3
• Allowed (not blocking): 1
  • MANIFEST_MISSING_LICENSE (Allowed: getsentry/skills is licensed Apache-2.0 at the repository root; upstream does not embed an SPDX license identifier in per-skill SKILL.md frontmatter.)

✅ security-review

• Status: Passed
• Findings: 3

✅ skill-scanner

• Status: Passed
• Findings: 1
• Allowed (not blocking): 1
  • YARA_prompt_injection_unicode_steganography (Allowed: The skill documents invisible Unicode steganography (\U000e0001 tag characters) as a prompt-injection vector. Describing the attack class is required for the skill to teach detection of it.)

✅ skill-writer

• Status: Passed
• Findings: 125
• Allowed (not blocking): 120
  • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, Exec, exec,
    format) inside references/workflow-patterns.md, where these appear in
    documentation about workflow patterns ("kill switch", "execution model",
    "format pattern"). They are not tool invocations. Verified at digest
    5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_MCP_MALICIOUS_RESPONSE (Allowed: False positive - matches on the literal word "references" / "reference"
    in references/workflow-patterns.md, which is the skill's own pointer
    list to its bundled reference docs (the standard skill-writer reference
    architecture). The pattern is not an MCP tool response; it's static
    skill instruction text. Verified at digest
    5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_MCP_MALICIOUS_RESPONSE (Allowed: False positive - matches on the literal word "references" / "reference"
    in references/workflow-patterns.md, which is the skill's own pointer
    list to its bundled reference docs (the standard skill-writer reference
    architecture). The pattern is not an MCP tool response; it's static
    skill instruction text. Verified at digest
    5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_MCP_MALICIOUS_RESPONSE (Allowed: False positive - matches on the literal word "references" / "reference"
    in references/workflow-patterns.md, which is the skill's own pointer
    list to its bundled reference docs (the standard skill-writer reference
    architecture). The pattern is not an MCP tool response; it's static
    skill instruction text. Verified at digest
    5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_MCP_MALICIOUS_RESPONSE (Allowed: False positive - matches on the literal word "references" / "reference"
    in references/workflow-patterns.md, which is the skill's own pointer
    list to its bundled reference docs (the standard skill-writer reference
    architecture). The pattern is not an MCP tool response; it's static
    skill instruction text. Verified at digest
    5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, Exec, exec,
    format) inside references/workflow-patterns.md, where these appear in
    documentation about workflow patterns ("kill switch", "execution model",
    "format pattern"). They are not tool invocations. Verified at digest
    5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, Exec, exec,
    format) inside references/workflow-patterns.md, where these appear in
    documentation about workflow patterns ("kill switch", "execution model",
    "format pattern"). They are not tool invocations. Verified at digest
    5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, Exec, exec,
    format) inside references/workflow-patterns.md, where these appear in
    documentation about workflow patterns ("kill switch", "execution model",
    "format pattern"). They are not tool invocations. Verified at digest
    5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, Exec, exec,
    format) inside references/workflow-patterns.md, where these appear in
    documentation about workflow patterns ("kill switch", "execution model",
    "format pattern"). They are not tool invocations. Verified at digest
    5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, Exec, exec,
    format) inside references/workflow-patterns.md, where these appear in
    documentation about workflow patterns ("kill switch", "execution model",
    "format pattern"). They are not tool invocations. Verified at digest
    5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, Exec, exec,
    format) inside references/workflow-patterns.md, where these appear in
    documentation about workflow patterns ("kill switch", "execution model",
    "format pattern"). They are not tool invocations. Verified at digest
    5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, Exec, exec,
    format) inside references/workflow-patterns.md, where these appear in
    documentation about workflow patterns ("kill switch", "execution model",
    "format pattern"). They are not tool invocations. Verified at digest
    5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_MCP_MALICIOUS_RESPONSE (Allowed: False positive - matches on the literal word "references" / "reference"
    in references/workflow-patterns.md, which is the skill's own pointer
    list to its bundled reference docs (the standard skill-writer reference
    architecture). The pattern is not an MCP tool response; it's static
    skill instruction text. Verified at digest
    5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, Exec, exec,
    format) inside references/workflow-patterns.md, where these appear in
    documentation about workflow patterns ("kill switch", "execution model",
    "format pattern"). They are not tool invocations. Verified at digest
    5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, Exec, exec,
    format) inside references/workflow-patterns.md, where these appear in
    documentation about workflow patterns ("kill switch", "execution model",
    "format pattern"). They are not tool invocations. Verified at digest
    5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, Exec, exec,
    format) inside references/workflow-patterns.md, where these appear in
    documentation about workflow patterns ("kill switch", "execution model",
    "format pattern"). They are not tool invocations. Verified at digest
    5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, Exec, exec,
    format) inside references/workflow-patterns.md, where these appear in
    documentation about workflow patterns ("kill switch", "execution model",
    "format pattern"). They are not tool invocations. Verified at digest
    5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, Exec, exec,
    format) inside references/workflow-patterns.md, where these appear in
    documentation about workflow patterns ("kill switch", "execution model",
    "format pattern"). They are not tool invocations. Verified at digest
    5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, Exec, exec,
    format) inside references/workflow-patterns.md, where these appear in
    documentation about workflow patterns ("kill switch", "execution model",
    "format pattern"). They are not tool invocations. Verified at digest
    5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, Exec, exec,
    format) inside references/workflow-patterns.md, where these appear in
    documentation about workflow patterns ("kill switch", "execution model",
    "format pattern"). They are not tool invocations. Verified at digest
    5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, Exec, exec,
    format) inside references/workflow-patterns.md, where these appear in
    documentation about workflow patterns ("kill switch", "execution model",
    "format pattern"). They are not tool invocations. Verified at digest
    5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, Exec, exec,
    format) inside references/workflow-patterns.md, where these appear in
    documentation about workflow patterns ("kill switch", "execution model",
    "format pattern"). They are not tool invocations. Verified at digest
    5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_MCP_MALICIOUS_RESPONSE (Allowed: False positive - matches on the literal word "references" / "reference"
    in references/workflow-patterns.md, which is the skill's own pointer
    list to its bundled reference docs (the standard skill-writer reference
    architecture). The pattern is not an MCP tool response; it's static
    skill instruction text. Verified at digest
    5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, Exec, exec,
    format) inside references/workflow-patterns.md, where these appear in
    documentation about workflow patterns ("kill switch", "execution model",
    "format pattern"). They are not tool invocations. Verified at digest
    5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, Exec, exec,
    format) inside references/workflow-patterns.md, where these appear in
    documentation about workflow patterns ("kill switch", "execution model",
    "format pattern"). They are not tool invocations. Verified at digest
    5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, Exec, exec,
    format) inside references/workflow-patterns.md, where these appear in
    documentation about workflow patterns ("kill switch", "execution model",
    "format pattern"). They are not tool invocations. Verified at digest
    5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, Exec, exec,
    format) inside references/workflow-patterns.md, where these appear in
    documentation about workflow patterns ("kill switch", "execution model",
    "format pattern"). They are not tool invocations. Verified at digest
    5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_MCP_MALICIOUS_RESPONSE (Allowed: False positive - matches on the literal word "references" / "reference"
    in references/workflow-patterns.md, which is the skill's own pointer
    list to its bundled reference docs (the standard skill-writer reference
    architecture). The pattern is not an MCP tool response; it's static
    skill instruction text. Verified at digest
    5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, Exec, exec,
    format) inside references/workflow-patterns.md, where these appear in
    documentation about workflow patterns ("kill switch", "execution model",
    "format pattern"). They are not tool invocations. Verified at digest
    5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, Exec, exec,
    format) inside references/workflow-patterns.md, where these appear in
    documentation about workflow patterns ("kill switch", "execution model",
    "format pattern"). They are not tool invocations. Verified at digest
    5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, Exec, exec,
    format) inside references/workflow-patterns.md, where these appear in
    documentation about workflow patterns ("kill switch", "execution model",
    "format pattern"). They are not tool invocations. Verified at digest
    5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_MCP_MALICIOUS_RESPONSE (Allowed: False positive - matches on the literal word "references" / "reference"
    in references/workflow-patterns.md, which is the skill's own pointer
    list to its bundled reference docs (the standard skill-writer reference
    architecture). The pattern is not an MCP tool response; it's static
    skill instruction text. Verified at digest
    5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, Exec, exec,
    format) inside references/workflow-patterns.md, where these appear in
    documentation about workflow patterns ("kill switch", "execution model",
    "format pattern"). They are not tool invocations. Verified at digest
    5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_MCP_MALICIOUS_RESPONSE (Allowed: False positive - matches on the literal word "references" / "reference"
    in references/workflow-patterns.md, which is the skill's own pointer
    list to its bundled reference docs (the standard skill-writer reference
    architecture). The pattern is not an MCP tool response; it's static
    skill instruction text. Verified at digest
    5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, Exec, exec,
    format) inside references/workflow-patterns.md, where these appear in
    documentation about workflow patterns ("kill switch", "execution model",
    "format pattern"). They are not tool invocations. Verified at digest
    5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, Exec, exec,
    format) inside references/workflow-patterns.md, where these appear in
    documentation about workflow patterns ("kill switch", "execution model",
    "format pattern"). They are not tool invocations. Verified at digest
    5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, Exec, exec,
    format) inside references/workflow-patterns.md, where these appear in
    documentation about workflow patterns ("kill switch", "execution model",
    "format pattern"). They are not tool invocations. Verified at digest
    5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, Exec, exec,
    format) inside references/workflow-patterns.md, where these appear in
    documentation about workflow patterns ("kill switch", "execution model",
    "format pattern"). They are not tool invocations. Verified at digest
    5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, Exec, exec,
    format) inside references/workflow-patterns.md, where these appear in
    documentation about workflow patterns ("kill switch", "execution model",
    "format pattern"). They are not tool invocations. Verified at digest
    5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, Exec, exec,
    format) inside references/workflow-patterns.md, where these appear in
    documentation about workflow patterns ("kill switch", "execution model",
    "format pattern"). They are not tool invocations. Verified at digest
    5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, Exec, exec,
    format) inside references/workflow-patterns.md, where these appear in
    documentation about workflow patterns ("kill switch", "execution model",
    "format pattern"). They are not tool invocations. Verified at digest
    5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, Exec, exec,
    format) inside references/workflow-patterns.md, where these appear in
    documentation about workflow patterns ("kill switch", "execution model",
    "format pattern"). They are not tool invocations. Verified at digest
    5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, Exec, exec,
    format) inside references/workflow-patterns.md, where these appear in
    documentation about workflow patterns ("kill switch", "execution model",
    "format pattern"). They are not tool invocations. Verified at digest
    5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, Exec, exec,
    format) inside references/workflow-patterns.md, where these appear in
    documentation about workflow patterns ("kill switch", "execution model",
    "format pattern"). They are not tool invocations. Verified at digest
    5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, Exec, exec,
    format) inside references/workflow-patterns.md, where these appear in
    documentation about workflow patterns ("kill switch", "execution model",
    "format pattern"). They are not tool invocations. Verified at digest
    5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, Exec, exec,
    format) inside references/workflow-patterns.md, where these appear in
    documentation about workflow patterns ("kill switch", "execution model",
    "format pattern"). They are not tool invocations. Verified at digest
    5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_MCP_MALICIOUS_RESPONSE (Allowed: False positive - matches on the literal word "references" / "reference"
    in references/workflow-patterns.md, which is the skill's own pointer
    list to its bundled reference docs (the standard skill-writer reference
    architecture). The pattern is not an MCP tool response; it's static
    skill instruction text. Verified at digest
    5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_MCP_MALICIOUS_RESPONSE (Allowed: False positive - matches on the literal word "references" / "reference"
    in references/workflow-patterns.md, which is the skill's own pointer
    list to its bundled reference docs (the standard skill-writer reference
    architecture). The pattern is not an MCP tool response; it's static
    skill instruction text. Verified at digest
    5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, Exec, exec,
    format) inside references/workflow-patterns.md, where these appear in
    documentation about workflow patterns ("kill switch", "execution model",
    "format pattern"). They are not tool invocations. Verified at digest
    5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, Exec, exec,
    format) inside references/workflow-patterns.md, where these appear in
    documentation about workflow patterns ("kill switch", "execution model",
    "format pattern"). They are not tool invocations. Verified at digest
    5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, Exec, exec,
    format) inside references/workflow-patterns.md, where these appear in
    documentation about workflow patterns ("kill switch", "execution model",
    "format pattern"). They are not tool invocations. Verified at digest
    5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, Exec, exec,
    format) inside references/workflow-patterns.md, where these appear in
    documentation about workflow patterns ("kill switch", "execution model",
    "format pattern"). They are not tool invocations. Verified at digest
    5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_MCP_MALICIOUS_RESPONSE (Allowed: False positive - matches on the literal word "references" / "reference"
    in references/workflow-patterns.md, which is the skill's own pointer
    list to its bundled reference docs (the standard skill-writer reference
    architecture). The pattern is not an MCP tool response; it's static
    skill instruction text. Verified at digest
    5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_MCP_MALICIOUS_RESPONSE (Allowed: False positive - matches on the literal word "references" / "reference"
    in references/workflow-patterns.md, which is the skill's own pointer
    list to its bundled reference docs (the standard skill-writer reference
    architecture). The pattern is not an MCP tool response; it's static
    skill instruction text. Verified at digest
    5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_MCP_MALICIOUS_RESPONSE (Allowed: False positive - matches on the literal word "references" / "reference"
    in references/workflow-patterns.md, which is the skill's own pointer
    list to its bundled reference docs (the standard skill-writer reference
    architecture). The pattern is not an MCP tool response; it's static
    skill instruction text. Verified at digest
    5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_MCP_MALICIOUS_RESPONSE (Allowed: False positive - matches on the literal word "references" / "reference"
    in references/workflow-patterns.md, which is the skill's own pointer
    list to its bundled reference docs (the standard skill-writer reference
    architecture). The pattern is not an MCP tool response; it's static
    skill instruction text. Verified at digest
    5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_MCP_MALICIOUS_RESPONSE (Allowed: False positive - matches on the literal word "references" / "reference"
    in references/workflow-patterns.md, which is the skill's own pointer
    list to its bundled reference docs (the standard skill-writer reference
    architecture). The pattern is not an MCP tool response; it's static
    skill instruction text. Verified at digest
    5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, Exec, exec,
    format) inside references/workflow-patterns.md, where these appear in
    documentation about workflow patterns ("kill switch", "execution model",
    "format pattern"). They are not tool invocations. Verified at digest
    5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, Exec, exec,
    format) inside references/workflow-patterns.md, where these appear in
    documentation about workflow patterns ("kill switch", "execution model",
    "format pattern"). They are not tool invocations. Verified at digest
    5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, Exec, exec,
    format) inside references/workflow-patterns.md, where these appear in
    documentation about workflow patterns ("kill switch", "execution model",
    "format pattern"). They are not tool invocations. Verified at digest
    5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_MCP_MALICIOUS_RESPONSE (Allowed: False positive - matches on the literal word "references" / "reference"
    in references/workflow-patterns.md, which is the skill's own pointer
    list to its bundled reference docs (the standard skill-writer reference
    architecture). The pattern is not an MCP tool response; it's static
    skill instruction text. Verified at digest
    5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_MCP_MALICIOUS_RESPONSE (Allowed: False positive - matches on the literal word "references" / "reference"
    in references/workflow-patterns.md, which is the skill's own pointer
    list to its bundled reference docs (the standard skill-writer reference
    architecture). The pattern is not an MCP tool response; it's static
    skill instruction text. Verified at digest
    5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, Exec, exec,
    format) inside references/workflow-patterns.md, where these appear in
    documentation about workflow patterns ("kill switch", "execution model",
    "format pattern"). They are not tool invocations. Verified at digest
    5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, Exec, exec,
    format) inside references/workflow-patterns.md, where these appear in
    documentation about workflow patterns ("kill switch", "execution model",
    "format pattern"). They are not tool invocations. Verified at digest
    5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, Exec, exec,
    format) inside references/workflow-patterns.md, where these appear in
    documentation about workflow patterns ("kill switch", "execution model",
    "format pattern"). They are not tool invocations. Verified at digest
    5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, Exec, exec,
    format) inside references/workflow-patterns.md, where these appear in
    documentation about workflow patterns ("kill switch", "execution model",
    "format pattern"). They are not tool invocations. Verified at digest
    5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_MCP_MALICIOUS_RESPONSE (Allowed: False positive - matches on the literal word "references" / "reference"
    in references/workflow-patterns.md, which is the skill's own pointer
    list to its bundled reference docs (the standard skill-writer reference
    architecture). The pattern is not an MCP tool response; it's static
    skill instruction text. Verified at digest
    5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_MCP_MALICIOUS_RESPONSE (Allowed: False positive - matches on the literal word "references" / "reference"
    in references/workflow-patterns.md, which is the skill's own pointer
    list to its bundled reference docs (the standard skill-writer reference
    architecture). The pattern is not an MCP tool response; it's static
    skill instruction text. Verified at digest
    5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_MCP_MALICIOUS_RESPONSE (Allowed: False positive - matches on the literal word "references" / "reference"
    in references/workflow-patterns.md, which is the skill's own pointer
    list to its bundled reference docs (the standard skill-writer reference
    architecture). The pattern is not an MCP tool response; it's static
    skill instruction text. Verified at digest
    5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, Exec, exec,
    format) inside references/workflow-patterns.md, where these appear in
    documentation about workflow patterns ("kill switch", "execution model",
    "format pattern"). They are not tool invocations. Verified at digest
    5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, Exec, exec,
    format) inside references/workflow-patterns.md, where these appear in
    documentation about workflow patterns ("kill switch", "execution model",
    "format pattern"). They are not tool invocations. Verified at digest
    5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_MCP_MALICIOUS_RESPONSE (Allowed: False positive - matches on the literal word "references" / "reference"
    in references/workflow-patterns.md, which is the skill's own pointer
    list to its bundled reference docs (the standard skill-writer reference
    architecture). The pattern is not an MCP tool response; it's static
    skill instruction text. Verified at digest
    5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_MCP_MALICIOUS_RESPONSE (Allowed: False positive - matches on the literal word "references" / "reference"
    in references/workflow-patterns.md, which is the skill's own pointer
    list to its bundled reference docs (the standard skill-writer reference
    architecture). The pattern is not an MCP tool response; it's static
    skill instruction text. Verified at digest
    5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, Exec, exec,
    format) inside references/workflow-patterns.md, where these appear in
    documentation about workflow patterns ("kill switch", "execution model",
    "format pattern"). They are not tool invocations. Verified at digest
    5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, Exec, exec,
    format) inside references/workflow-patterns.md, where these appear in
    documentation about workflow patterns ("kill switch", "execution model",
    "format pattern"). They are not tool invocations. Verified at digest
    5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, Exec, exec,
    format) inside references/workflow-patterns.md, where these appear in
    documentation about workflow patterns ("kill switch", "execution model",
    "format pattern"). They are not tool invocations. Verified at digest
    5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, Exec, exec,
    format) inside references/workflow-patterns.md, where these appear in
    documentation about workflow patterns ("kill switch", "execution model",
    "format pattern"). They are not tool invocations. Verified at digest
    5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_MCP_MALICIOUS_RESPONSE (Allowed: False positive - matches on the literal word "references" / "reference"
    in references/workflow-patterns.md, which is the skill's own pointer
    list to its bundled reference docs (the standard skill-writer reference
    architecture). The pattern is not an MCP tool response; it's static
    skill instruction text. Verified at digest
    5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, Exec, exec,
    format) inside references/workflow-patterns.md, where these appear in
    documentation about workflow patterns ("kill switch", "execution model",
    "format pattern"). They are not tool invocations. Verified at digest
    5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, Exec, exec,
    format) inside references/workflow-patterns.md, where these appear in
    documentation about workflow patterns ("kill switch", "execution model",
    "format pattern"). They are not tool invocations. Verified at digest
    5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, Exec, exec,
    format) inside references/workflow-patterns.md, where these appear in
    documentation about workflow patterns ("kill switch", "execution model",
    "format pattern"). They are not tool invocations. Verified at digest
    5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, Exec, exec,
    format) inside references/workflow-patterns.md, where these appear in
    documentation about workflow patterns ("kill switch", "execution model",
    "format pattern"). They are not tool invocations. Verified at digest
    5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, Exec, exec,
    format) inside references/workflow-patterns.md, where these appear in
    documentation about workflow patterns ("kill switch", "execution model",
    "format pattern"). They are not tool invocations. Verified at digest
    5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, Exec, exec,
    format) inside references/workflow-patterns.md, where these appear in
    documentation about workflow patterns ("kill switch", "execution model",
    "format pattern"). They are not tool invocations. Verified at digest
    5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, Exec, exec,
    format) inside references/workflow-patterns.md, where these appear in
    documentation about workflow patterns ("kill switch", "execution model",
    "format pattern"). They are not tool invocations. Verified at digest
    5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, Exec, exec,
    format) inside references/workflow-patterns.md, where these appear in
    documentation about workflow patterns ("kill switch", "execution model",
    "format pattern"). They are not tool invocations. Verified at digest
    5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_MCP_MALICIOUS_RESPONSE (Allowed: False positive - matches on the literal word "references" / "reference"
    in references/workflow-patterns.md, which is the skill's own pointer
    list to its bundled reference docs (the standard skill-writer reference
    architecture). The pattern is not an MCP tool response; it's static
    skill instruction text. Verified at digest
    5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, Exec, exec,
    format) inside references/workflow-patterns.md, where these appear in
    documentation about workflow patterns ("kill switch", "execution model",
    "format pattern"). They are not tool invocations. Verified at digest
    5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, Exec, exec,
    format) inside references/workflow-patterns.md, where these appear in
    documentation about workflow patterns ("kill switch", "execution model",
    "format pattern"). They are not tool invocations. Verified at digest
    5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, Exec, exec,
    format) inside references/workflow-patterns.md, where these appear in
    documentation about workflow patterns ("kill switch", "execution model",
    "format pattern"). They are not tool invocations. Verified at digest
    5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_MCP_MALICIOUS_RESPONSE (Allowed: False positive - matches on the literal word "references" / "reference"
    in references/workflow-patterns.md, which is the skill's own pointer
    list to its bundled reference docs (the standard skill-writer reference
    architecture). The pattern is not an MCP tool response; it's static
    skill instruction text. Verified at digest
    5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, Exec, exec,
    format) inside references/workflow-patterns.md, where these appear in
    documentation about workflow patterns ("kill switch", "execution model",
    "format pattern"). They are not tool invocations. Verified at digest
    5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, Exec, exec,
    format) inside references/workflow-patterns.md, where these appear in
    documentation about workflow patterns ("kill switch", "execution model",
    "format pattern"). They are not tool invocations. Verified at digest
    5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, Exec, exec,
    format) inside references/workflow-patterns.md, where these appear in
    documentation about workflow patterns ("kill switch", "execution model",
    "format pattern"). They are not tool invocations. Verified at digest
    5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, Exec, exec,
    format) inside references/workflow-patterns.md, where these appear in
    documentation about workflow patterns ("kill switch", "execution model",
    "format pattern"). They are not tool invocations. Verified at digest
    5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, Exec, exec,
    format) inside references/workflow-patterns.md, where these appear in
    documentation about workflow patterns ("kill switch", "execution model",
    "format pattern"). They are not tool invocations. Verified at digest
    5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, Exec, exec,
    format) inside references/workflow-patterns.md, where these appear in
    documentation about workflow patterns ("kill switch", "execution model",
    "format pattern"). They are not tool invocations. Verified at digest
    5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, Exec, exec,
    format) inside references/workflow-patterns.md, where these appear in
    documentation about workflow patterns ("kill switch", "execution model",
    "format pattern"). They are not tool invocations. Verified at digest
    5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, Exec, exec,
    format) inside references/workflow-patterns.md, where these appear in
    documentation about workflow patterns ("kill switch", "execution model",
    "format pattern"). They are not tool invocations. Verified at digest
    5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, Exec, exec,
    format) inside references/workflow-patterns.md, where these appear in
    documentation about workflow patterns ("kill switch", "execution model",
    "format pattern"). They are not tool invocations. Verified at digest
    5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_MCP_MALICIOUS_RESPONSE (Allowed: False positive - matches on the literal word "references" / "reference"
    in references/workflow-patterns.md, which is the skill's own pointer
    list to its bundled reference docs (the standard skill-writer reference
    architecture). The pattern is not an MCP tool response; it's static
    skill instruction text. Verified at digest
    5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, Exec, exec,
    format) inside references/workflow-patterns.md, where these appear in
    documentation about workflow patterns ("kill switch", "execution model",
    "format pattern"). They are not tool invocations. Verified at digest
    5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, Exec, exec,
    format) inside references/workflow-patterns.md, where these appear in
    documentation about workflow patterns ("kill switch", "execution model",
    "format pattern"). They are not tool invocations. Verified at digest
    5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, Exec, exec,
    format) inside references/workflow-patterns.md, where these appear in
    documentation about workflow patterns ("kill switch", "execution model",
    "format pattern"). They are not tool invocations. Verified at digest
    5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_MCP_MALICIOUS_RESPONSE (Allowed: False positive - matches on the literal word "references" / "reference"
    in references/workflow-patterns.md, which is the skill's own pointer
    list to its bundled reference docs (the standard skill-writer reference
    architecture). The pattern is not an MCP tool response; it's static
    skill instruction text. Verified at digest
    5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, Exec, exec,
    format) inside references/workflow-patterns.md, where these appear in
    documentation about workflow patterns ("kill switch", "execution model",
    "format pattern"). They are not tool invocations. Verified at digest
    5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, Exec, exec,
    format) inside references/workflow-patterns.md, where these appear in
    documentation about workflow patterns ("kill switch", "execution model",
    "format pattern"). They are not tool invocations. Verified at digest
    5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, Exec, exec,
    format) inside references/workflow-patterns.md, where these appear in
    documentation about workflow patterns ("kill switch", "execution model",
    "format pattern"). They are not tool invocations. Verified at digest
    5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, Exec, exec,
    format) inside references/workflow-patterns.md, where these appear in
    documentation about workflow patterns ("kill switch", "execution model",
    "format pattern"). They are not tool invocations. Verified at digest
    5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, Exec, exec,
    format) inside references/workflow-patterns.md, where these appear in
    documentation about workflow patterns ("kill switch", "execution model",
    "format pattern"). They are not tool invocations. Verified at digest
    5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, Exec, exec,
    format) inside references/workflow-patterns.md, where these appear in
    documentation about workflow patterns ("kill switch", "execution model",
    "format pattern"). They are not tool invocations. Verified at digest
    5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, Exec, exec,
    format) inside references/workflow-patterns.md, where these appear in
    documentation about workflow patterns ("kill switch", "execution model",
    "format pattern"). They are not tool invocations. Verified at digest
    5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, Exec, exec,
    format) inside references/workflow-patterns.md, where these appear in
    documentation about workflow patterns ("kill switch", "execution model",
    "format pattern"). They are not tool invocations. Verified at digest
    5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, Exec, exec,
    format) inside references/workflow-patterns.md, where these appear in
    documentation about workflow patterns ("kill switch", "execution model",
    "format pattern"). They are not tool invocations. Verified at digest
    5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, Exec, exec,
    format) inside references/workflow-patterns.md, where these appear in
    documentation about workflow patterns ("kill switch", "execution model",
    "format pattern"). They are not tool invocations. Verified at digest
    5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, Exec, exec,
    format) inside references/workflow-patterns.md, where these appear in
    documentation about workflow patterns ("kill switch", "execution model",
    "format pattern"). They are not tool invocations. Verified at digest
    5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_MCP_MALICIOUS_RESPONSE (Allowed: False positive - matches on the literal word "references" / "reference"
    in references/workflow-patterns.md, which is the skill's own pointer
    list to its bundled reference docs (the standard skill-writer reference
    architecture). The pattern is not an MCP tool response; it's static
    skill instruction text. Verified at digest
    5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, Exec, exec,
    format) inside references/workflow-patterns.md, where these appear in
    documentation about workflow patterns ("kill switch", "execution model",
    "format pattern"). They are not tool invocations. Verified at digest
    5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_MCP_MALICIOUS_RESPONSE (Allowed: False positive - matches on the literal word "references" / "reference"
    in references/workflow-patterns.md, which is the skill's own pointer
    list to its bundled reference docs (the standard skill-writer reference
    architecture). The pattern is not an MCP tool response; it's static
    skill instruction text. Verified at digest
    5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )
  • ATR_HIGH_RISK_TOOL_GATE (Allowed: False positive - regex matches on word fragments (kill, Exec, exec,
    format) inside references/workflow-patterns.md, where these appear in
    documentation about workflow patterns ("kill switch", "execution model",
    "format pattern"). They are not tool invocations. Verified at digest
    5cfc9e22a91c2d3a230c4d5154ea0f1babce3b28.
    )

---

Summary: Scanned 18 skill(s), all passed security checks. ✅