search-for-service

[Skill Scanner] Credential file access detected This skill's description and commands match its stated purpose (searching/browsing an API marketplace and inspecting payment requirements). However, it relies on unpinned, runtime download-and-execute via 'npx ...@latest', which is a significant supply-chain risk. The 'details' command actively probes arbitrary URLs by iterating HTTP methods until a 402 response is observed — this can cause side effects and unintended remote actions. There are no hardcoded credentials, but the combination of executing unpinned third-party code and actively mutating remote endpoints makes this skill risky to run without strict controls. I rate this as SUSPICIOUS/High-risk for supply-chain and unintended remote-action concerns; not confirmed malware, but high vulnerability if the upstream package or dependencies are compromised. LLM verification: No explicit malicious code is present in this SKILL.md fragment (it's documentation). However the documented workflow contains notable supply-chain and operational risks: dynamic unpinned execution with npx (@latest) and aggressive probing of arbitrary URLs by trying multiple HTTP methods. These behaviors expand the attack surface — a compromised `awal` package or malicious registry package could execute arbitrary code, exfiltrate data, or perform unwanted network activity. Treat the skill as me