using-xrpc-indexer

[Skill Scanner] Download or install from free hosting/deployment platform detected All findings: [HIGH] supply_chain: Download or install from free hosting/deployment platform detected (SC007) [AITech 9.1.4] [HIGH] supply_chain: Download or install from free hosting/deployment platform detected (SC007) [AITech 9.1.4] [HIGH] supply_chain: Download or install from free hosting/deployment platform detected (SC007) [AITech 9.1.4] This skill fragment is coherent with its stated purpose: it issues HTTP GETs to a named XRPC semantic search API and returns results. There is no evidence of obfuscated or intentionally malicious code in the provided text. The main security consideration is privacy: user queries are transmitted to central-production.up.railway.app (a third-party host). If callers expect local-only processing or have strict data handling requirements, this is a notable concern. Overall the fragment appears benign for its stated function but requires trust in the remote endpoint. LLM verification: The skill's behavior is consistent with its stated purpose (semantic search) and the code shown is simple and not directly malicious. However, all data flows go through a third-party Railway-hosted endpoint (central-production.up.railway.app) with no provenance, authentication, or privacy guidance. This creates a realistic risk that sensitive queries or data could be captured by the remote host. If you trust the operator of that endpoint (official comind / team), the skill is likely safe to use.