sveltia-cms

No direct malicious code or obfuscation is present in this SKILL.md. The documented capabilities align with the stated purpose and requested credentials are proportional to a GitHub-backed CMS. The main security concern is supply-chain and operational: the OAuth flow routes through a Cloudflare Worker proxy and the CMS JavaScript is loaded from unpkg — both are legitimate but require the operator to trust and verify the external repos and deployed endpoints. If an attacker controls the worker endpoint or the CDN-hosted bundle, they could harvest OAuth codes/tokens or perform unauthorized repository access. Recommend verifying the sveltia-cms-auth repository source, pinning bundle versions, hosting JS locally if possible, and auditing deployed worker code before providing client secrets.