conductor-dev

[Skill Scanner] Backtick command substitution detected This skill file is largely benign in intent (project scaffolding and workflow orchestration) and its capabilities generally match the stated purpose. However it contains risky operational mandates: forced use of the Figma extension for all UI tasks, mandatory device screenshot capture and import into project artifacts, and a requirement to display conductor/learning.md contents in chat whenever updated. Those behaviors create realistic data-exfiltration/privacy risks and grant broad operational power to whoever or whatever executes the steps. I classify the skill as SUSPICIOUS in practice (not obviously malicious code, but with significant potential for sensitive-data leakage and overbroad permissions). Recommend: make Figma usage optional, require explicit user consent before capturing/pulling device screenshots, avoid auto-displaying potentially sensitive learning.md content to chat or require redaction/approval, and document secure handling of Figma credentials and endpoints. LLM verification: This Skill's stated purpose (scaffolding a Conductor directory and enforcing a UI-first workflow) is broadly consistent with most capabilities, but it requires high-risk operations (network fetches from Figma, device-level screenshots via hdc, and running build tools) without constraining data flows or endpoints. The mandatory behavior to display conductor/learning.md in chat when updated is a privacy/leakage risk. No direct signs of malware or obfuscation were found, but the skill is over-privi