repo-hygiene

[Skill Scanner] Installation of third-party script detected All findings: [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [CRITICAL] command_injection: Destructive bash command detected (rm -rf, chmod 777) (CI004) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] [HIGH] data_exfiltration: Credential file access detected (DE002) [AITech 8.2.3] No evidence of malicious code or supply-chain credential exfiltration in this skill document. The skill is a detailed checklist/instruction set for repo hygiene; its capabilities align with its stated purpose. The primary security concerns are operational: some recommended fixes are potentially destructive (git history rewrites, force-upgrades, deleting remote branches, removing tracked .env files) and must be gated by explicit user confirmation and secret-rotation procedures. Treat auto-fix actions cautiously and require explicit consent before executing any destructive operations. LLM verification: No evidence of intentionally malicious code in this skill file — it is documentation and commands for repo hygiene and the capabilities listed match its stated purpose. However, there are several security hygiene problems in the examples that could lead to accidental data exposure or unsafe system changes if copied into scripts/CI without review: echoing CI secrets or writing them to outputs, use of chmod 777 and rm -rf, and numerous unpinned installs. These are safety/usability issues rather th