bundle-analyze

[Skill Scanner] Backtick command substitution detected All findings: [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] [HIGH] data_exfiltration: Credential file access detected (DE002) [AITech 8.2.3] No malicious behavior detected. This skill performs local repository analysis, writes analyzer configs and reports, and installs typical dev-dependency analyzers via npm. The actions are consistent with its stated purpose. Main operational risk is the normal supply-chain risk of running npm install (unpin­ned versions) and executing generated Node scripts: those should be run with user awareness. No credential harvesting, remote exfiltration, obfuscated payloads, or suspicious domains were found. LLM verification: No malicious code or explicit exfiltration was found in the provided scripts. The tool is functionally aligned with its stated purpose: local bundle analysis and recommendations. The main security concern is supply-chain exposure from unpinned npm installs and executing third-party analyzer tools. Treat this package as benign for local use if users apply standard precautions (pin versions, review generated files, avoid committing caches, run installs in isolated environments).