blogwatcher

[Skill Scanner] Installation of third-party script detected Based on this document alone, the skill/manifest appears benign and consistent with its stated purpose (monitor blogs/RSS feeds). There are no embedded malicious instructions, credential harvesting patterns, or download-and-execute chains in this file. The only minor supply-chain concern is the unpinned 'go install ...@latest' install instruction (best practice is to pin a version). To fully assess runtime risks (telemetry, exfiltration, disabled TLS, or hidden behavior) the actual repository code/binary must be audited. Recommendation: review the code in github.com/Hyaxia/blogwatcher before installing; prefer a pinned release. LLM verification: No explicit malicious code is present in the supplied documentation. The primary issue is a supply-chain/install-time risk: the documentation instructs users to run `go install ...@latest`, which fetches and builds remote code with no pinned version or checksum. Because the actual repository contents and built binary were not provided, their behavior cannot be audited here. Treat this package as untrusted until you review the repository (pin to a commit/tag, verify signatures/checksums, or inclu