hap-view-plugin

[Skill Scanner] Installation of third-party script detected All findings: [HIGH] supply_chain: Installation of third-party script detected (SC006) [AITech 9.1.4] [HIGH] supply_chain: Installation of third-party script detected (SC006) [AITech 9.1.4] This skill appears benign and coherent for developing Mingdao HAP view plugins: capabilities, APIs, and install instructions match the stated purpose. The main security concerns are supply-chain and operational: it instructs global, unpinned npm installs (mdye-cli), recommends sudo for macOS, and expects an AI to automatically run install/auth/start/push commands — actions that can expose credentials or enable malicious packages if the upstream CLI or registry is compromised. Treat automated execution by an agent with caution: require explicit user consent before installing global packages or entering credentials, and prefer pinned versions or integrity checks for production use. LLM verification: The provided SKILL.md is a benign, well-scoped developer guide for Mingdao HAP custom view plugin development. No direct malicious code, obfuscation, or credential-harvesting routines are present in the document itself. The primary security concerns are supply-chain and operational: repeated instructions to run npm installs (including global installs with sudo) and an AI-directed automatic-install behavior increase risk if executed without explicit user approval. Actions: treat mdye-cli and depe