codebase-analysis

The manifest is plausible for a codebase-analysis skill, but its operational directives (immediate, unconditional execution and prohibition on prior exploration) create a high supply-chain risk because they enable arbitrary local code execution with access to repository files and environment variables. No explicit malicious code is present in the fragment, but the invocation pattern is commonly abused. Before allowing execution: inspect the referenced .claude/skills/scripts code, verify provenance and integrity, and run the script in a restricted sandbox. Treat this artifact as suspicious until validated.