scanning-for-secrets

SUSPICIOUS. The core purpose is legitimate and local-file access is proportionate for secret scanning, but the skill relies on vague, unverifiable tooling (`secret-scanner` plugin / tools installed as needed) and grants broader shell access than the stated task requires. No direct exfiltration, credential harvesting, or malicious endpoint is shown, so this is not confirmed malware; the main issue is install/execution trust and overbroad execution scope.