polish-repo

[Skill Scanner] Skill instructions include directives to hide actions from user All findings: [HIGH] autonomy_abuse: Skill instructions include directives to hide actions from user (BH009) [AITech 13.3] [HIGH] supply_chain: Installation of third-party script detected (SC006) [AITech 9.1.4] [HIGH] data_exfiltration: Credential file access detected (DE002) [AITech 8.2.3] [HIGH] supply_chain: Installation of third-party script detected (SC006) [AITech 9.1.4] The provided fragment is a coherent, benign template/instruction set for repo polishing and publishing setup. It does not implement executable code, nor does it solicit or handle secrets. The only external resource reference is a branding asset download for aesthetics, which is a normal part of repo bootstrap templates. Overall risk is low with respect to supply-chain misuse, though practitioners should ensure external branding assets referenced are trusted. LLM verification: This skill is primarily a benign repository-templating/instruction artifact designed to add documentation, community files, CI/publishing configuration, and an agent usage skill. There is no direct malicious code in the supplied content. However, several high-risk supply-chain patterns are recommended: (1) adding a postinstall script that runs on npm installs (even if print-only), (2) encouraging the use of npx skills add which fetches and executes remote code, and (3) fetching remote assets at