docx

[Skill Scanner] Installation of third-party script detected All findings: [HIGH] supply_chain: Installation of third-party script detected (SC006) [AITech 9.1.4] [HIGH] supply_chain: Installation of third-party script detected (SC006) [AITech 9.1.4] [HIGH] supply_chain: Installation of third-party script detected (SC006) [AITech 9.1.4] [HIGH] supply_chain: Installation of third-party script detected (SC006) [AITech 9.1.4] [HIGH] supply_chain: Installation of third-party script detected (SC006) [AITech 9.1.4] The skill's capabilities are coherent with its stated purpose: working with .docx files via OOXML, tracked changes, and format conversions. It does not contain instructions to reach out to external domains, harvest credentials, or execute remote payloads. The main security considerations are operational: executing external binaries (pandoc, LibreOffice, poppler) and handling potentially sensitive document contents/metadata locally. The repeated 'MANDATORY - READ ENTIRE FILE' guidance is unusual but not malicious. Overall, this skill appears functionally benign for document processing but carries moderate operational risk typical of tools that process arbitrary user documents (exposure of sensitive content and dependence on third-party binaries). LLM verification: The skill's stated purpose (docx creation/editing/analysis) matches its capabilities. The main security issues are supply-chain: multiple unpinned downloads/install commands (apt, npm, pip), and instructions to run repository scripts (unpack/pack) with no integrity verification. The mandatory "read entire file" directives are unusual and could cause excessive local data exposure if followed blindly. No explicit network exfiltration endpoints, hardcoded credentials, or obfuscated malicious code w