claude-code-source-analysis

SUSPICIOUS: The stated purpose is source analysis, but the skill also instructs users to install and rebuild unofficial Claude Code artifacts from third-party sources. The key risk is supply-chain trust: a Tencent mirror tarball and third-party recovery repo are not proportionate or verifiably official for an analysis skill, and the rebuild path can expose ANTHROPIC_API_KEY to untrusted code. No direct malicious exfiltration is shown, but the install and credential-use footprint is inconsistent enough to warrant caution.