baoyu-format-markdown

[Skill Scanner] Backtick command substitution detected This skill's functionality is coherent with its stated purpose (markdown/plain-text formatting). However, it instructs running an unpinned download-and-execute command (npx -y bun ${SKILL_DIR}/scripts/main.ts), and it delegates actual formatting behavior to external scripts that are not included in the document. That download-execute pattern and unpinned runtime execution are high-risk supply-chain signals. There is also the ability to modify files in-place and an automated title selection behavior. I classify this SKILL.md as SUSPICIOUS: not obviously malicious from the document alone, but it has notable supply-chain and operational risks that require auditing the referenced scripts (scripts/main.ts, scripts/quotes.ts, scripts/autocorrect.ts) and avoiding unpinned npx execution in sensitive environments. LLM verification: This SKILL.md is functionally a reasonable markdown formatter and its stated capabilities match the documented operations (reading files, formatting, creating frontmatter, running a typography script). However, it relies on an unpinned download-and-execute pattern (`npx -y bun ${SKILL_DIR}/scripts/main.ts`) and documents running package manager installs. That runtime pattern is a supply-chain risk: at execution time arbitrary code may be fetched and run, which could read or exfiltrate files, mod