gentleman-system

[Skill Scanner] Installation of third-party script detected All findings: [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [HIGH] data_exfiltration: Credential file access detected (DE002) [AITech 8.2.3] This skill/documentation fragment is consistent with an installer system: OS detection, choosing platform-specific package commands, running commands (including with sudo), and performing file operations. There is no direct evidence of malicious behavior (no obfuscated code, no hardcoded credentials, no network exfiltration). However, the functionality inherently holds moderate security risk because it executes system commands with elevated privileges and manipulates files. Security recommendations: audit implementations of system.Run* to ensure command arguments are not constructed from untrusted input (prevent command injection), verify where SendLog/ log callbacks send data (prevent leaking stdout/stderr remotely), and validate path handling in CopyDir/CopyFile (avoid path traversal or accidental overwrites). Overall: not malicious, but requires careful review and runtime protections. LLM verification: The best-presented assessment finds the skill to be purpose-aligned and coherent, with legitimate use in an installer workflow. However, it inherently carries elevated privileges and broad system impact; thus, it should be restricted to trusted contexts, with explicit validation, auditing, and least-privilege defaults. Static scanner findings in documentation require careful review to ensure no secrets or unsafe script execution paths exist in actual code. Overall, the risk is moderate but manag