skill-master

The module itself contains no clear malicious payloads (no obfuscation, no remote shells, no hardcoded credentials). The dominant security concern is data exfiltration and privacy leakage: it constructs detailed prompts containing SKILL.md content, eval results, and forwards nearly all environment variables to an external 'claude' CLI which is an opaque sink that may contact remote services. It also can persist full prompts/responses to disk and print them to stdout/stderr. Treat inputs and environment as sensitive; avoid running this code in environments with secrets unless 'claude' is trusted, restrict environment variables, redact sensitive fields before sending, and avoid persistent logging of prompts.