duplication-detect

[Skill Scanner] Backtick command substitution detected All findings: [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] [HIGH] supply_chain: Installation of third-party script detected (SC006) [AITech 9.1.4] This skill appears to be a legitimate duplication-detection and DRY-refactoring helper. It reads project files, runs standard tools (jscpd, grep, jq), and writes analysis reports and pattern guides to a local analysis directory. No credential access, remote data exfiltration, or obfuscated/malicious code paths were found. The main security considerations are: (1) it installs a third-party tool from npm (jscpd) which is a normal supply-chain risk — ensure jscpd and its dependencies are trusted and pinned; (2) it suggests creating git hooks and analysis artifacts in the repo, which could be accidentally committed or run on every developer machine. These are operational risks rather than indicators of direct malicious intent. Recommended mitigations: prefer project-local dev dependency install over global install, add .claude/duplication-analysis to .gitignore, review any pre-commit hooks before enabling, and pin/verify the jscpd package version. LLM verification: This skill is consistent with its stated purpose: it performs local duplication detection and generates DRY refactoring guidance. I found no evidence of direct data exfiltration, hardcoded secrets, obfuscated payloads, or reverse shells. The primary security concern is supply-chain risk from unpinned npm installs and executing third-party CLI tooling (jscpd) on the host — npm packages can run arbitrary code during install. Adding git hooks that run unpinned tools increases exposure. Recommendati