webpack-optimize

[Skill Scanner] Backtick command substitution detected All findings: [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] [HIGH] data_exfiltration: Credential file access detected (DE002) [AITech 8.2.3] BENIGN: The skill is a configuration optimization assistant for build tools, with safe, scoped capabilities (detection, analysis, templated optimization guidance, and rollback safety). No credential harvesting, no suspicious data exfiltration, and no unauthorized external actions are evident. Ensure runtime changes are gated behind explicit user confirmation and maintainability practices to prevent production-impacting changes. LLM verification: The code implements a legitimate build-tool detection and optimization analysis flow: detecting build tool, reading config files, optionally invoking local build tooling (webpack --json), parsing results with jq, and caching analysis results under .claude/cache/webpack-optimize. I found no signs of remote exfiltration, obfuscated code, hard-coded credentials, or clear malicious backdoors. The primary security considerations are operational: this script executes project-local build tooling (which