credentials

[Skill Scanner] Download or install from free hosting/deployment platform detected This skill is designed to read a user-supplied centralized credentials file, extract known API keys using regexes, validate them against official provider APIs (via curl), and write a local .env. The capabilities, file reads, and network calls are consistent with that purpose. I found no evidence of deliberate exfiltration, obfuscation, or calls to third-party intermediaries. Primary security concerns are operational (consolidating many secrets, potential for accidental git commits, and some broad regexes causing false positives). Recommend: ensure the agent/operator understands local file risks, confirm .env creation location before writing, and review regexes for false-positives. LLM verification: The skill's stated purpose (centralized API key loading from a user-specified Access.txt) matches the implemented parsing and validation behavior. There is no clear malicious code (no obfuscation, no network calls to unknown third parties, no command injection). However, the skill's capability to read arbitrary credential files and extract many high-value secrets (AWS, GitHub, Stripe, Supabase, etc.) is high-risk in practice: it can expose a large set of credentials if the user pastes a file int