api-test-generate

[Skill Scanner] Generic secret pattern detected No explicit malicious code patterns found. The tool is functionally benign for generating API tests, but it carries moderate supply-chain and integrity risk due to automatic, unpinned npm installs and use of a writable shared cache (.claude) which could be tampered with. Recommended operational controls: require user confirmation before installs, honor lockfiles, pin dev dependency versions, isolate install execution (container/CI), and validate cache contents prior to use. LLM verification: This skill appears to be a legitimate API test scaffolding generator. It performs local project inspection (package manifests, source files, OpenAPI schemas), creates test templates, and caches results to a local .claude directory. There is no direct evidence of malicious code, remote exfiltration, obfuscated payloads, or backdoors. However, there are supply-chain risks and privacy concerns: it recommends/executes unpinned npm installs (remote code fetch/execute risk), persists discovered API an