scanning-for-secrets

SUSPICIOUS: the core purpose is legitimate and local-file access is mostly proportionate, but the skill’s actual execution path is underspecified because the referenced `secret-scanner` plugin is not concretely identified or verifiably installed in the skill itself. Broad Bash permissions and scope drift beyond secret scanning increase risk, though there is no clear evidence of credential exfiltration or confirmed malicious behavior.