canghe-format-markdown

[Skill Scanner] Backtick command substitution detected This skill's purpose and described capabilities are internally consistent with a markdown formatter. Primary concern: the required execution step uses 'npx -y bun ${SKILL_DIR}/scripts/main.ts' — a download-and-execute pattern (npx fetching bun) without a pinned version or verification, which is a supply-chain risk. There is no evidence in this fragment of direct malicious behavior (no credential harvesting, no exfiltration endpoints, no obfuscated payload). Treat as SUSPICIOUS due to the unpinned runtime download and the fact the process will run code (local scripts) under a network-fetched runtime. Remediation: require pinning/verifying bun version or provide a vetted local runtime installation, avoid npx -y download-execute, and audit scripts/main.ts and other scripts before running. LLM verification: This skill's functionality (reading a file, formatting, writing an output) is consistent with its stated purpose, but there are supply-chain and operational risks in the execution instructions. The primary concern is the required runtime invocation using `npx -y bun ${SKILL_DIR}/scripts/main.ts` and multiple unpinned npm references in the documentation: these patterns instruct users/agents to download and execute third-party code without version pinning or integrity checks, which is a high-risk