canghe-markdown-to-html

[Skill Scanner] Backtick command substitution detected This SKILL.md is consistent with its stated purpose (Markdown -> styled HTML). It only reads local Markdown and EXTEND.md and writes local HTML/backup and stdout JSON. There are no hardcoded secrets, obfuscated payloads, network exfiltration endpoints, or instructions to run arbitrary remote binaries via curl|bash. The main supply-chain consideration is the 'npx -y bun' execution pattern which causes dependency/runtime fetches at run-time — a common but notable supply-chain vector. If you trust the runtime and any invoked skill (canghe-format-markdown), this is benign. Otherwise review the referenced scripts and the other skill before running in high-security environments. LLM verification: The SKILL.md is functionally coherent: capabilities align with purpose and requested file access is proportional. There are no hardcoded credentials, obfuscated payloads, or explicit exfiltration sinks in the provided document. However, the runtime execution pattern (`npx -y bun ...`) is a download-and-execute supply-chain vector (un-pinned, fetched at run time) and therefore raises supply-chain risk. Overall: likely benign functionality but with a moderate supply-chain execution risk that shoul