todos-to-issues

[Skill Scanner] Natural language instruction to download and install from URL detected This skill appears functionally consistent with its stated purpose (finding TODOs and creating GitHub issues). It uses expected local tools (git, gh) and caches to optimize work. Security concerns are operational: executing project build/tests as a mandatory step risks running untrusted code; shared and append-only caches may retain sensitive metadata; automated creation of issues can inadvertently post secrets or sensitive code snippets to issue trackers. I classify this as not malicious but moderately risky in practice — review and mitigate: avoid running untrusted test/build scripts automatically, sanitize TODO contexts before posting, expire/invalidate caches, and limit cache sharing in multi-tenant environments. LLM verification: This skill is functionally consistent with its stated purpose (finding TODOs and creating GitHub issues) and uses expected tools (git, gh). It does not contain explicit malware or obfuscated payloads. However, it has moderate supply-chain and operational risks: it requires gh auth (access to GitHub), can upload code snippets into issues (potential data leakage), writes persistent caches that may contain sensitive TODO content, and runs repository build/test commands as a precondition which can h