techdebt

[Skill Scanner] Installation of third-party script detected All findings: [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [HIGH] skill_discovery_abuse: System prompt extraction attempt (SD002) [AITech 4.3] BENIGN: The skill/document describes a coherent, developer-facing tech debt analysis workflow with parallel subagents, safe auto-fix semantics, and standard reporting outputs. There are no credential reads, no external data exfiltration, and no suspicious network activity indicated. The footprint aligns with the stated purpose of code-quality and debt detection tooling. LLM verification: The skill specification describes a reasonable technical-debt scanner with parallel subagents and an interactive auto-fix mode. I found no explicit malicious code or obfuscated payloads in the provided SKILL.md. However, there are notable supply-chain and data-leak risks in operational details: dynamic installation or updating of third-party analyzers without pinned sources/checksums, absence of sandboxing or network restrictions for external tools, and the potential to capture or surface sensit