bitecs

[Skill Scanner] Installation of third-party script detected All findings: [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] This skill/documentation appears to be benign and consistent with its stated purpose: describing an ECS library API, serialization, and multithreading examples. There is no embedded malicious code or external download/install instructions beyond the normal npm install line. The main risks are implementation and integration risks: example observer callbacks could be wired to send data to arbitrary endpoints by the integrator, deserializers can corrupt world state if fed untrusted buffers or incorrect id maps, and SharedArrayBuffer usage has platform/security considerations. These are normal, expected risks for a serialization/multithreading ECS toolkit, not indicators of supply-chain malicious behavior in the text provided. LLM verification: Verdict: Benign-with-guardrails. The skill fragment functions as a documentation/guide for bitecs with no active code or data exfiltration. Scanner flags relate to documentation content and standard npm usage, not actual behavior. To minimize risk, hosting environments should enforce strict execution policies (no auto-install, no shell execution from docs, no remote script loading) and treat npm install commands as informational only.