using-jj-workspaces

[Skill Scanner] Installation of third-party script detected All findings: [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] This skill appears functionally coherent and aligned with its stated purpose: setting up isolated jj workspaces, ensuring workspace dirs are gitignored, creating the workspace, and running setup/tests. There is no sign of intentional malware, obfuscation, or exfiltration. The main security considerations are operational: the workflow auto-modifies .gitignore and runs package manager install/test commands which can execute arbitrary code from project dependencies or install scripts. For untrusted repositories, those steps should be sandboxed and/or require explicit user confirmation. Overall, the code is benign but carries normal supply-chain risks inherent to running build/install scripts.