graphilizer

[Skill Scanner] Installation of third-party script detected All findings: [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] The skill's declared purpose (launching a local React Flow visualization) matches its capabilities (writing a JSON file, installing a template, and running a local dev server). There is no explicit malicious code in the provided SKILL.md itself, but the instructions require running npm install and executing a local Node script from the skill/template — standard for JS dev tools but a meaningful supply-chain risk if the template or dependencies are untrusted. Because the skill delegates execution to arbitrary npm packages and a local serve script without describing integrity checks or pinned dependencies, it should be treated as potentially risky until the template and dependencies are audited. Overall: functionally coherent but supply-chain-risky; vet dependencies and template before running. LLM verification: Overall, the Graphilizer skill description is conceptually benign and aligns with a legitimate use-case: generating an interactive graph visualization served locally. The workflow and data flow are coherent with the stated purpose. The main risks are around dependency management (unpinning, potential third-party scripts) and ensuring completeness of the docs (truncated Layers section). Recommend: pin dependency versions, use a lockfile, verify integrity of dependencies, and complete the document