types-generate

[Skill Scanner] Destructive bash command detected (rm -rf, chmod 777) All findings: [CRITICAL] command_injection: Destructive bash command detected (rm -rf, chmod 777) (CI004) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] Functionally this skill appears benign and consistent with its stated purpose (type generation). The primary risks are supply-chain and operational: it performs runtime package installs and executes packages via npx, and it fetches arbitrary API URLs with curl and feeds results to code generators. These patterns are acceptable in dev environments but pose moderate risk in automated or multi-tenant execution contexts. Recommend pinning/locking dev dependencies, avoiding automatic npm installs in untrusted environments, validating/sandboxing external API endpoints, and limiting shared cache usage. LLM verification: The skill's behavior matches its stated purpose (type generation) and uses common developer tools and patterns. The main security concerns are supply-chain and execution risks from unpinned npm installs and npx execution, the use of curl to fetch arbitrary API endpoints (which could be misused to access internal services or expose sample responses), and documented destructive commands (rm -rf). These are not definitive signs of malware, but they raise moderate security risk for projects that run