apply-qa-fixes

[Skill Scanner] [Documentation context] Backtick command substitution detected This skill's stated capabilities align with its documented purpose. It performs local, repository-scoped reads and writes, constructs deterministic fix plans, applies minimal code/test edits, runs lint/tests, updates the task file, and emits telemetry. I did not find direct evidence of malicious code, remote download-and-execute patterns, credential harvesting, or obfuscated payloads in the provided skill description. Primary risks stem from the trust boundary: the skill relies on privileged tooling (bmad-commands, Claude Code primitives) and executes project test/lint scripts that can run arbitrary code. Telemetry emission without an explicit backend and lack of programmatic enforcement of guardrails are additional supply-chain concerns. Overall this appears coherent and legitimate for its purpose but carries moderate supply-chain risk that should be mitigated with the recommendations above. LLM verification: [LLM Escalated] The skill fragment is largely coherent with its stated purpose: a deterministic, observable workflow to consume QA quality gate findings and apply fixes within a project’s local scope. It uses local file reads, processes findings, builds a prioritized fix plan, applies changes via code-edit tools, validates, updates task state, and emits telemetry. The only notable anomaly is a documentation/example SQL snippet using a backtick-encapsulated string, which could mislead readers if treated as safe