dcf-model

This SKILL documentation describes a legitimate, specialized DCF model builder with reasonable capabilities for its stated purpose. No direct malicious code is present in the text. The primary security concerns are supply-chain and operational: (1) executing recalc.py/LibreOffice is a download-and-execute pattern that requires trusting the recalc.py source and any dependencies; (2) network calls to MCP servers and web fetches introduce potential exfiltration or credential forwarding risks if API keys or data are mishandled; and (3) the docs do not specify secure handling or provenance for external tools and dependencies. These issues raise a moderate security risk that can be mitigated by: obtaining recalc.py and any helper libraries from trusted, pinned, auditable sources; using least-privilege and transient credentials for MCP/web access; avoiding embedding sensitive secrets/credentials in cell comments; and performing code review on the implementation that performs network calls and process execution. Overall I classify this skill as functionally appropriate but with medium supply-chain risk that requires operational controls.