pdf-factory

[Skill Scanner] Installation of third-party script detected This skill manifest and documentation describe a legitimate PDF rendering pipeline whose requested capabilities and resources are consistent with its stated purpose. The primary risks are standard supply-chain and operational concerns: installing many third-party Python packages (PyPI) and fetching numerous icons from a remote icon host. There are no explicit indicators of malicious behavior in the provided text. However, because implementation scripts (render.py, compose.py, scripts/install_deps.py, scripts/fetch_icons.py) are not included, a final judgement requires reviewing those files to ensure they do not read unrelated sensitive files or exfiltrate data. LLM verification: This SKILL.md appears functionally legitimate and aligned with its stated purpose (Markdown -> branded PDF rendering + optional signing). I found no explicit malicious code, credential harvesting, remote command execution, or hidden exfiltration in the provided text. However, there are supply-chain and operational risks: unpinned pip dependencies, reliance on an external installer script (scripts/install_deps.py) whose content is not provided, and on-demand icon fetching from unspecified network