license-check

[Skill Scanner] Instruction to copy/paste content into terminal detected All findings: [CRITICAL] command_injection: Instruction to copy/paste content into terminal detected (CI012) [AITech 9.1.4] [CRITICAL] command_injection: Destructive bash command detected (rm -rf, chmod 777) (CI004) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] This skill is functionally consistent with its stated purpose (license scanning, conflict detection, report generation). It does not contain direct exfiltration, backdoors, or obfuscated malware. However, it introduces moderate supply-chain risk by installing external tooling at runtime without pinned versions and by automatically creating CI workflows and pre-commit hooks and writing persistent/shared cache files. Recommended mitigations: pin tool versions, prefer local or vendored scanner binaries, make repo/CI/hook modifications opt-in, ensure .claude cache is protected/ignored from commits, and review installs before running in sensitive environments. LLM verification: This skill is functionally benign and aligned with its stated purpose (license scanning and reporting). It does not contain evidence of intentional malware or data exfiltration. Primary concerns are supply-chain and operational risks: it instructs unpinned global installs of third-party CLIs, suggests destructive cache clearing (rm -rf), and installs git hooks/CI steps that execute third-party tools in developer or CI environments. These patterns increase attack surface and should be hardened (p