anysystem-design

[Skill Scanner] Instruction to copy/paste content into terminal detected All findings: [CRITICAL] command_injection: Instruction to copy/paste content into terminal detected (CI012) [AITech 9.1.4] [HIGH] transitive_trust: Loading external skill detected (AU004) [AITech 1.2] The skill fragment is coherent with its intended purpose as developer documentation for AnySystem Design. It relies on standard external sources for installation and content provisioning, which introduces typical supply-chain risk that should be managed via provenance checks (verify publisher, pin versions, use integrity hashes). No credential access, data exfiltration, or executable behavior is present in the fragment. LLM verification: This SKILL.md appears to be legitimate documentation for a React component library AI assistant skill. It contains expected installation and usage instructions and no direct malicious code in the provided text. However, it instructs users to perform supply-chain actions (npx/bunx install, git clone, copy files into agent skill directories, and use load_skill) that carry inherent risk if the upstream package or repository is malicious or compromised. No credential harvesting, obfuscated payloads,