gget

[Skill Scanner] Installation of third-party script detected All findings: [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] Based on the provided documentation (no source code), gget's described capabilities and required credentials are coherent with its stated purpose as a bioinformatics CLI/Python toolkit. There are no overt malicious behaviors in the documentation itself. Primary security concerns are operational: (1) handling of sensitive credentials (COSMIC credentials, OpenAI API keys) — passing them on the command line is risky; (2) supply-chain risk from downloading large model parameters and native binaries during setup (AlphaFold/OpenMM, DIAMOND/BLAST binaries) — users should verify sources and checksums; (3) execution of external installers/commands may alter environments and should be reviewed before automated runs. I assess this artifact as benign in intent but with moderate operational security risks that require user caution and verification of implementation and download endpoints. LLM verification: Based on the provided SKILL.md, this appears to be a legitimate bioinformatics skill whose capabilities align with its stated purpose. There are moderate supply-chain risks: unpinned pip installs, reliance on curl for downloads without documented integrity checks, and lack of explicit endpoint transparency (could allow proxying or credential interception if the implementation used third-party gateways). I found no direct evidence of malicious code or intent in the documentation. Recommended miti