fix-imports

[Skill Scanner] Backtick command substitution detected This 'fix-imports' skill is coherent with its stated purpose: it scans for broken imports, caches resolution patterns, creates a plan, and applies fixes using shell tools and an editor, with verification steps. It does not contain overtly malicious code or remote exfiltration. The main security concerns are operational: aggressive global text replacements (sed) and automatic commits can cause unwanted or incorrect changes; persistent/shared caches may carry stale or cross-project mappings; and the skill assumes broad local tool permissions. These are safety/usability risks rather than evidence of malware. LLM verification: The skill is a legitimate refactoring utility that automates detection and repair of broken imports with session persistence and resume capability. It does not exhibit direct malware behavior (no exfiltration, no embedded credentials, no external command-and-control). The primary security concerns are operational: automated in-place edits (sed/Edit) combined with automatic commits and a shared persistent cache increase the blast radius and allow poisoning if an attacker can tamper with cache/sta