iconfont-downloader

The skill's described behavior aligns with its stated purpose and does not present explicit signs of embedded malicious backdoors in the provided documentation. The main security concerns are: handling of sensitive credentials (in-process cookie extraction), arbitrary file writes (outputPath), processing untrusted scraped content, and transitive supply-chain risk from dynamic imports and browser binary downloads. Recommended mitigations: review the implementation to confirm credentials are not persisted or logged, sanitize and restrict output paths, avoid executing scraped content, run installs in controlled environments, and audit transitive dependencies. Treat this skill as moderately risky until the implementation and runtime behavior (especially cookie/credential handling and any network endpoints) are inspected.