gitnexus-cli

This skill's documentation describes a local indexing and LLM-backed wiki generator which legitimately needs repository read access and local storage for the index. The primary security concerns are supply-chain and credential risks: (1) running via npx causes dynamic download-and-execute from the npm registry which is a known supply-chain vector unless the user pins and verifies the package; (2) LLM API keys are stored in plaintext config (~/.gitnexus/config.json) and may be sent to arbitrary endpoints if the --base-url option is changed or misconfigured; (3) the --gist option can leak repository content publicly if used without redaction. There is no evidence of deliberate obfuscation, embedded malicious code, or hidden exfiltration in the provided documentation, but the combination of npx execution and flexible endpoints/credential storage makes this skill moderately risky in practice. Recommend: require pinning versions, document secure file permissions and key handling, warn users about custom base URLs, and add secret-detection/redaction before publishing wikis as gists.