guided-social-clip

[Skill Scanner] Natural language instruction to download and install from URL detected All findings: [CRITICAL] command_injection: Natural language instruction to download and install from URL detected (CI009) [AITech 9.1.4] [HIGH] supply_chain: Installation of third-party script detected (SC006) [AITech 9.1.4] Overall, the manifest presents a plausible, well-structured workflow for producing branded vertical clips with explicit timing and design constraints. Security considerations center on secret management, dependency provenance, and external data exchanges. While not inherently malicious, ensure secret scopes are restricted, dependencies are pinned and audited, and user consent is obtained for any brand research data access. The risk level is moderate due to external service integrations and credential handling requirements. LLM verification: No direct evidence of embedded malware or explicit exfiltration logic in the provided skill text. Primary security concern is supply-chain and operational risk: unpinned npm installs, immediate execution via npx, and guidance that could encourage unsafe credential handling. Recommend pinning package versions/checksums, running all installs and renders in isolated environments (containers/CI runners), using least-privilege tokens for ElevenLabs, and avoiding pasting API keys in chat. Treat the wo