chore(agents): Add skill-scanner skill

Add the skill-scanner skill from getsentry/skills for scanning agent
skills for security issues such as prompt injection, malicious scripts,
and supply chain risks.

Co-Authored-By: Claude <noreply@anthropic.com>

Author: chargome

.agents/skills/dotagents/SKILL.md

@@ -9,11 +9,11 @@ Manage agent skill dependencies declared in `agents.toml`. dotagents resolves, i
 
 Read the relevant reference when the task requires deeper detail:
 
-| Document                                                   | Read When                                                                 |
-| ---------------------------------------------------------- | ------------------------------------------------------------------------- |
-| [references/cli-reference.md](references/cli-reference.md) | Full command options, flags, examples                                     |
+| Document | Read When |
+|----------|-----------|
+| [references/cli-reference.md](references/cli-reference.md) | Full command options, flags, examples |
 | [references/configuration.md](references/configuration.md) | Editing agents.toml, source formats, trust, MCP, hooks, wildcards, scopes |
-| [references/config-schema.md](references/config-schema.md) | Exact field names, types, and defaults                                    |
+| [references/config-schema.md](references/config-schema.md) | Exact field names, types, and defaults |
 
 ## Quick Start
 
@@ -42,31 +42,31 @@ dotagents list
 
 ## Commands
 
-| Command                     | Description                                                        |
-| --------------------------- | ------------------------------------------------------------------ |
-| `dotagents init`            | Initialize `agents.toml` and `.agents/` directory                  |
-| `dotagents install`         | Install all skills from `agents.toml`                              |
-| `dotagents add <specifier>` | Add a skill dependency                                             |
-| `dotagents remove <name>`   | Remove a skill                                                     |
-| `dotagents update [name]`   | Update skills to latest versions                                   |
-| `dotagents sync`            | Reconcile state (adopt orphans, repair symlinks, verify integrity) |
-| `dotagents list`            | Show installed skills and their status                             |
-| `dotagents mcp`             | Add, remove, or list MCP server declarations                       |
+| Command | Description |
+|---------|-------------|
+| `dotagents init` | Initialize `agents.toml` and `.agents/` directory |
+| `dotagents install` | Install all skills from `agents.toml` |
+| `dotagents add <specifier>` | Add a skill dependency |
+| `dotagents remove <name>` | Remove a skill |
+| `dotagents update [name]` | Update skills to latest versions |
+| `dotagents sync` | Reconcile state (adopt orphans, repair symlinks, verify integrity) |
+| `dotagents list` | Show installed skills and their status |
+| `dotagents mcp` | Add, remove, or list MCP server declarations |
 
 All commands accept `--user` to operate on user scope (`~/.agents/`) instead of the current project.
 
 For full options and flags, read [references/cli-reference.md](references/cli-reference.md).
 
 ## Source Formats
 
-| Format           | Example                                | Description                           |
-| ---------------- | -------------------------------------- | ------------------------------------- |
-| GitHub shorthand | `getsentry/skills`                     | Owner/repo (resolves to GitHub HTTPS) |
-| GitHub pinned    | `getsentry/warden@v1.0.0`              | With tag, branch, or commit           |
-| GitHub SSH       | `git@github.com:owner/repo.git`        | SSH clone URL                         |
-| GitHub HTTPS     | `https://github.com/owner/repo`        | Full HTTPS URL                        |
-| Git URL          | `git:https://git.corp.dev/team/skills` | Any non-GitHub git remote             |
-| Local path       | `path:./my-skills/custom`              | Relative to project root              |
+| Format | Example | Description |
+|--------|---------|-------------|
+| GitHub shorthand | `getsentry/skills` | Owner/repo (resolves to GitHub HTTPS) |
+| GitHub pinned | `getsentry/warden@v1.0.0` | With tag, branch, or commit |
+| GitHub SSH | `git@github.com:owner/repo.git` | SSH clone URL |
+| GitHub HTTPS | `https://github.com/owner/repo` | Full HTTPS URL |
+| Git URL | `git:https://git.corp.dev/team/skills` | Any non-GitHub git remote |
+| Local path | `path:./my-skills/custom` | Relative to project root |
 
 ## Key Concepts
 

.agents/skills/dotagents/references/cli-reference.md

@@ -8,11 +8,11 @@ dotagents [--user] <command> [options]
 
 ### Global Flags
 
-| Flag              | Description                                                     |
-| ----------------- | --------------------------------------------------------------- |
-| `--user`          | Operate on user scope (`~/.agents/`) instead of current project |
-| `--help`, `-h`    | Show help                                                       |
-| `--version`, `-V` | Show version                                                    |
+| Flag | Description |
+|------|-------------|
+| `--user` | Operate on user scope (`~/.agents/`) instead of current project |
+| `--help`, `-h` | Show help |
+| `--version`, `-V` | Show version |
 
 ## Commands
 
@@ -27,13 +27,12 @@ dotagents init --force
 dotagents --user init
 ```
 
-| Flag              | Description                                                             |
-| ----------------- | ----------------------------------------------------------------------- |
+| Flag | Description |
+|------|-------------|
 | `--agents <list>` | Comma-separated agent targets (claude, cursor, codex, vscode, opencode) |
-| `--force`         | Overwrite existing `agents.toml`                                        |
+| `--force` | Overwrite existing `agents.toml` |
 
 **Interactive mode** (when TTY is available):
-
 1. Select agents (multiselect)
 2. Manage `.gitignore` for installed skills?
 3. Trust policy: allow all sources or restrict to trusted
@@ -49,13 +48,12 @@ dotagents install --frozen
 dotagents install --force
 ```
 
-| Flag       | Description                                                        |
-| ---------- | ------------------------------------------------------------------ |
+| Flag | Description |
+|------|-------------|
 | `--frozen` | Fail if lockfile is missing or out of sync; do not modify lockfile |
-| `--force`  | Ignore locked commits and resolve all skills to latest refs        |
+| `--force` | Ignore locked commits and resolve all skills to latest refs |
 
 **Workflow:**
-
 1. Load config and lockfile
 2. Expand wildcard entries (discover all skills from source)
 3. Validate trust for each skill source
@@ -83,15 +81,14 @@ dotagents add git:https://git.corp.dev/team/skills      # Non-GitHub git URL
 dotagents add path:./my-skills/custom                   # Local path
 ```
 
-| Flag             | Description                                                       |
-| ---------------- | ----------------------------------------------------------------- |
-| `--name <name>`  | Specify which skill to add (repeatable; alias: `--skill`)         |
-| `--skill <name>` | Alias for `--name` (repeatable)                                   |
-| `--ref <ref>`    | Pin to a specific tag, branch, or commit                          |
-| `--all`          | Add all skills from the source as a wildcard entry (`name = "*"`) |
+| Flag | Description |
+|------|-------------|
+| `--name <name>` | Specify which skill to add (repeatable; alias: `--skill`) |
+| `--skill <name>` | Alias for `--name` (repeatable) |
+| `--ref <ref>` | Pin to a specific tag, branch, or commit |
+| `--all` | Add all skills from the source as a wildcard entry (`name = "*"`) |
 
 **Specifier formats:**
-
 - `owner/repo` -- GitHub shorthand
 - `owner/repo@ref` -- GitHub with pinned ref
 - `https://github.com/owner/repo` -- GitHub HTTPS URL
@@ -137,7 +134,6 @@ dotagents sync
 ```
 
 **Actions performed:**
-
 1. Adopt orphaned skills (installed but not declared in config)
 2. Regenerate `.agents/.gitignore`
 3. Check for missing skills
@@ -157,12 +153,11 @@ dotagents list
 dotagents list --json
 ```
 
-| Flag     | Description    |
-| -------- | -------------- |
+| Flag | Description |
+|------|-------------|
 | `--json` | Output as JSON |
 
 **Status indicators:**
-
 - `✓` ok -- installed, integrity matches
 - `~` modified -- locally modified since install
 - `✗` missing -- in config but not installed
@@ -183,13 +178,13 @@ dotagents mcp add github --command npx --args -y --args @modelcontextprotocol/se
 dotagents mcp add remote-api --url https://mcp.example.com/sse --header "Authorization:Bearer token"
 ```
 
-| Flag                   | Description                                             |
-| ---------------------- | ------------------------------------------------------- |
-| `--command <cmd>`      | Command to run (stdio transport)                        |
-| `--args <arg>`         | Command arguments (repeatable)                          |
-| `--url <url>`          | HTTP endpoint URL (HTTP transport)                      |
-| `--header <Key:Value>` | HTTP headers (repeatable)                               |
-| `--env <VAR>`          | Environment variable names to pass through (repeatable) |
+| Flag | Description |
+|------|-------------|
+| `--command <cmd>` | Command to run (stdio transport) |
+| `--args <arg>` | Command arguments (repeatable) |
+| `--url <url>` | HTTP endpoint URL (HTTP transport) |
+| `--header <Key:Value>` | HTTP headers (repeatable) |
+| `--env <VAR>` | Environment variable names to pass through (repeatable) |
 
 Either `--command` or `--url` is required (mutually exclusive).
 
@@ -210,6 +205,6 @@ dotagents mcp list
 dotagents mcp list --json
 ```
 
-| Flag     | Description    |
-| -------- | -------------- |
+| Flag | Description |
+|------|-------------|
 | `--json` | Output as JSON |

.agents/skills/dotagents/references/config-schema.md

@@ -16,11 +16,11 @@ agents = ["claude", "cursor"]   # Optional, agent targets
 
 ## Top-Level Fields
 
-| Field       | Type     | Required | Default | Description                                                      |
-| ----------- | -------- | -------- | ------- | ---------------------------------------------------------------- |
-| `version`   | integer  | Yes      | --      | Schema version, must be `1`                                      |
-| `gitignore` | boolean  | No       | `true`  | Generate `.agents/.gitignore` for managed skills.                |
-| `agents`    | string[] | No       | `[]`    | Agent targets: `claude`, `cursor`, `codex`, `vscode`, `opencode` |
+| Field | Type | Required | Default | Description |
+|-------|------|----------|---------|-------------|
+| `version` | integer | Yes | -- | Schema version, must be `1` |
+| `gitignore` | boolean | No | `true` | Generate `.agents/.gitignore` for managed skills. |
+| `agents` | string[] | No | `[]` | Agent targets: `claude`, `cursor`, `codex`, `vscode`, `opencode` |
 
 ## Project Section
 
@@ -50,12 +50,12 @@ ref = "v1.0.0"                  # Optional, pin to tag/branch/commit
 path = "tools/my-skill"         # Optional, subdirectory within repo
 ```
 
-| Field    | Type   | Required | Description                                                   |
-| -------- | ------ | -------- | ------------------------------------------------------------- |
-| `name`   | string | Yes      | Unique identifier. Pattern: `^[a-zA-Z0-9][a-zA-Z0-9._-]*$`    |
-| `source` | string | Yes      | `owner/repo`, `owner/repo@ref`, `git:url`, or `path:relative` |
-| `ref`    | string | No       | Tag, branch, or commit SHA to pin                             |
-| `path`   | string | No       | Subdirectory containing the skill within the source repo      |
+| Field | Type | Required | Description |
+|-------|------|----------|-------------|
+| `name` | string | Yes | Unique identifier. Pattern: `^[a-zA-Z0-9][a-zA-Z0-9._-]*$` |
+| `source` | string | Yes | `owner/repo`, `owner/repo@ref`, `git:url`, or `path:relative` |
+| `ref` | string | No | Tag, branch, or commit SHA to pin |
+| `path` | string | No | Subdirectory containing the skill within the source repo |
 
 ### Wildcard Skills
 
@@ -67,12 +67,12 @@ ref = "v1.0.0"                  # Optional
 exclude = ["deprecated-skill"]  # Optional, skills to skip
 ```
 
-| Field     | Type          | Required | Description                        |
-| --------- | ------------- | -------- | ---------------------------------- |
-| `name`    | literal `"*"` | Yes      | Wildcard marker                    |
-| `source`  | string        | Yes      | Same formats as regular skills     |
-| `ref`     | string        | No       | Tag, branch, or commit SHA to pin  |
-| `exclude` | string[]      | No       | Skill names to skip. Default: `[]` |
+| Field | Type | Required | Description |
+|-------|------|----------|-------------|
+| `name` | literal `"*"` | Yes | Wildcard marker |
+| `source` | string | Yes | Same formats as regular skills |
+| `ref` | string | No | Tag, branch, or commit SHA to pin |
+| `exclude` | string[] | No | Skill names to skip. Default: `[]` |
 
 ## Trust Section
 
@@ -87,12 +87,12 @@ github_repos = ["ext-org/repo"]     # Exact owner/repo pairs
 git_domains = ["git.corp.example.com"]  # Git URL domains
 ```
 
-| Field          | Type     | Description                                |
-| -------------- | -------- | ------------------------------------------ |
-| `allow_all`    | boolean  | Allow all sources (overrides other fields) |
-| `github_orgs`  | string[] | Allowed GitHub organizations               |
-| `github_repos` | string[] | Allowed exact `owner/repo` pairs           |
-| `git_domains`  | string[] | Allowed domains for `git:` URLs            |
+| Field | Type | Description |
+|-------|------|-------------|
+| `allow_all` | boolean | Allow all sources (overrides other fields) |
+| `github_orgs` | string[] | Allowed GitHub organizations |
+| `github_repos` | string[] | Allowed exact `owner/repo` pairs |
+| `git_domains` | string[] | Allowed domains for `git:` URLs |
 
 No `[trust]` section = allow all sources (backward compatible).
 
@@ -116,14 +116,14 @@ name = "remote-api"                 # Required, unique server name
 url = "https://mcp.example.com/sse" # Required for HTTP
 ```
 
-| Field     | Type     | Required   | Description                                |
-| --------- | -------- | ---------- | ------------------------------------------ |
-| `name`    | string   | Yes        | Unique server identifier                   |
-| `command` | string   | Stdio only | Command to execute                         |
-| `args`    | string[] | No         | Command arguments                          |
-| `env`     | string[] | No         | Environment variable names to pass through |
-| `url`     | string   | HTTP only  | Server URL                                 |
-| `headers` | table    | No         | HTTP headers                               |
+| Field | Type | Required | Description |
+|-------|------|----------|-------------|
+| `name` | string | Yes | Unique server identifier |
+| `command` | string | Stdio only | Command to execute |
+| `args` | string[] | No | Command arguments |
+| `env` | string[] | No | Environment variable names to pass through |
+| `url` | string | HTTP only | Server URL |
+| `headers` | table | No | HTTP headers |
 
 ## Hooks Section
 
@@ -134,11 +134,11 @@ matcher = "Bash"                    # Optional, tool name filter
 command = "my-lint-check"           # Required
 ```
 
-| Field     | Type   | Required | Description                                             |
-| --------- | ------ | -------- | ------------------------------------------------------- |
-| `event`   | string | Yes      | `PreToolUse`, `PostToolUse`, `UserPromptSubmit`, `Stop` |
-| `matcher` | string | No       | Tool name to match (omit for all tools)                 |
-| `command` | string | Yes      | Shell command to execute                                |
+| Field | Type | Required | Description |
+|-------|------|----------|-------------|
+| `event` | string | Yes | `PreToolUse`, `PostToolUse`, `UserPromptSubmit`, `Stop` |
+| `matcher` | string | No | Tool name to match (omit for all tools) |
+| `command` | string | Yes | Shell command to execute |
 
 ## Lockfile (agents.lock)
 
@@ -156,20 +156,20 @@ commit = "c8881564e75eff4faaecc82d1c3f13356851b6e7"
 integrity = "sha256-FWmCLdOj+x+XffiEg7Bx19drylVypeKz8me9OA757js="
 ```
 
-| Field           | Type   | Description                                        |
-| --------------- | ------ | -------------------------------------------------- |
-| `source`        | string | Original source from `agents.toml`                 |
-| `resolved_url`  | string | Resolved git URL                                   |
-| `resolved_path` | string | Subdirectory within repo                           |
-| `resolved_ref`  | string | Ref that was resolved (omitted for default branch) |
-| `commit`        | string | Full 40-char SHA of resolved commit                |
-| `integrity`     | string | `sha256-` prefixed base64 content hash             |
+| Field | Type | Description |
+|-------|------|-------------|
+| `source` | string | Original source from `agents.toml` |
+| `resolved_url` | string | Resolved git URL |
+| `resolved_path` | string | Subdirectory within repo |
+| `resolved_ref` | string | Ref that was resolved (omitted for default branch) |
+| `commit` | string | Full 40-char SHA of resolved commit |
+| `integrity` | string | `sha256-` prefixed base64 content hash |
 
 Local path skills have `source` and `integrity` only (no commit).
 
 ## Environment Variables
 
-| Variable              | Purpose                                                 |
-| --------------------- | ------------------------------------------------------- |
+| Variable | Purpose |
+|----------|---------|
 | `DOTAGENTS_STATE_DIR` | Override cache location (default: `~/.local/dotagents`) |
-| `DOTAGENTS_HOME`      | Override user-scope location (default: `~/.agents`)     |
+| `DOTAGENTS_HOME` | Override user-scope location (default: `~/.agents`) |