document-hunter

[Skill Scanner] URL pointing to executable file detected All findings: [CRITICAL] command_injection: URL pointing to executable file detected (CI010) [AITech 9.1.4] [HIGH] supply_chain: Installation of third-party script detected (SC006) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] This skill appears to be a legitimate browser-automation document-hunting tool that downloads public-source documents and stores them locally. No hardcoded secrets, obfuscated code, credential harvesting, or third-party proxying of user credentials is present in the provided material. The main supply-chain concerns are unpinned dependencies (PyPI packages) and a direct download of a GitHub release ZIP for the RECAP extension — both should be verified before execution. Operational risks include scraping sites with anti-bot protections and storing potentially sensitive public documents in a local directory. Overall: not malicious but moderate supply-chain and operational risk; review external downloads and site-specific automation code (site-patterns.md and generated Python scripts) before running. LLM verification: Functionally this SKILL is coherent with its stated purpose (automated retrieval of public documents). There are no direct indicators of malware or credential-harvesting code in the provided documentation. However, the presence of multiple supply-chain risk patterns — unpinned pip installs, instructions to download and unzip a third-party browser extension, and shell installation steps — increases the overall security risk. The biggest risks are supply-chain compromise of unpinned packages or th