post-campaign-creator-scorecard

[Skill Scanner] Skill instructions include directives to hide actions from user No malicious behavior or supply-chain attack patterns were found. The skill's capabilities align with its stated purpose of producing post-campaign creator scorecards. The only noteworthy security/privacy consideration is that the skill asks the agent to read a local context file (.claude/brand-context.md) if present and to accept pasted performance/conversion data — both reasonable for personalization but they require users to be careful about what they expose to the agent/runtime. There are no downloads, remote endpoints, credential requests, or execution instructions in the skill text. LLM verification: The skill matches its stated purpose and contains no direct code-level malware patterns in the provided fragment. Primary risks are privacy and transparency: (1) an instruction to read a local dotfile (.claude/brand-context.md) without an explicit consent mechanism increases the chance of unintentionally exposing sensitive brand data; and (2) a static scanner flag indicating directives to 'hide actions from user' is a significant transparency/red team risk and must be removed or made explicit. R