release

[Skill Scanner] Instruction directing agent to run/execute external content All findings: [CRITICAL] command_injection: Instruction directing agent to run/execute external content (CI011) [AITech 9.1.4] [HIGH] command_injection: PowerShell execution detected (CI005) [AITech 9.1.4] This skill is coherent and consistent with its stated purpose (releasing to PyPI and GitHub). There are no signs of malicious behavior in the provided instructions: required credentials and operations are proportionate and expected. Primary concerns are operational hazards (git reset --hard) and the normal sensitivity of storing PYPI_TOKEN in .env. Because the actual build_and_deploy.ps1 and the 'uv' tool are not included here, residual supply-chain risk remains if those artifacts are malicious, but nothing in this instruction file itself is malicious. LLM verification: The SKILL.md itself is a legitimate release playbook describing standard actions to bump version, build, publish to PyPI, and create a GitHub release. However it directs execution of an external PowerShell script with '-ExecutionPolicy Bypass' and relies on an unverified 'uv' CLI — both are material software supply-chain risk points. Before running these steps in any trusted environment, inspect and audit build_and_deploy.ps1 and the 'uv' tool: review their source, confirm network endpoints, res