flashcard-creator

This Skill's stated purpose — extracting language content from open web pages and producing Anki-ready flashcards — is legitimate and the documented extraction/formatting guidance is coherent. However, the skill mandates automatic execution of a local conversion script (python3 parse_flashcards.py) and grants the agent Bash and Write capabilities. That write->execute requirement is disproportionate and high risk: an unreviewed parser can perform arbitrary actions (network calls, credential exfiltration, modification of host files). The skill also lacks guidance to avoid scraping sensitive content or to require explicit user confirmation before running local commands. Overall, the component is not evidently malicious on its face (no hardcoded attacker endpoints or obfuscated payloads shown), but its mandatory automatic execution of local code and broad tool permissions create a significant supply-chain and autonomy risk. Recommend marking as suspicious/vulnerable: do not allow the agent to auto-run local scripts; require the agent to produce files only and ask the user to run conversion or have the user explicitly approve any local execution; inspect parse_flashcards.py before trusting.