security-headers

[Skill Scanner] Backtick command substitution detected All findings: [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] [HIGH] data_exfiltration: Outbound data post or form upload via curl/wget detected (NW002) [AITech 8.2.3] This skill is coherent with its stated purpose: it fetches HTTP headers, analyzes them, and generates framework-specific header configurations. There are no clear signs of malicious intent. The main security considerations are standard: npm dependency installation (pin versions), accepting arbitrary URLs for curl (validate inputs), and the cross-skill shared cache / filesystem writes which increase attack surface and risk of unintended data exposure. Recommend adding explicit warnings/consent for file writes, pinning npm package versions, and restricting or documenting cache sharing access. LLM verification: This skill appears to be a legitimate security-headers utility: its capabilities align with the stated purpose (checking headers and generating configurations). Primary risks are supply-chain and privacy-related rather than outright malicious code: unpinned npm install of helmet, use of curl to send the inspected URL to third-party scanners (potential data leak), and a shared/indefinitely-lived cache across skills that increases attack surface if compromised. There is a minor doc/code inconsiste