barrel-craft

The SKILL.md file is a documentation-only skill that guides the AI on how to instruct users to use the barrel-craft tool. The skill itself does not contain any executable code that the AI would run directly. However, it explicitly provides instructions for users to install the barrel-craft tool:

• bun install -g barrel-craft (Line 46)
• bun add -D barrel-craft (Line 49)

This instruction leads to the download and installation of an external package (barrel-craft) from a package registry via the bun package manager. barrel-craft is not listed as a trusted external source. Therefore, this constitutes an UNVERIFIABLE_DEPENDENCY (MEDIUM severity) and an EXTERNAL_DOWNLOAD.

Furthermore, the skill instructs the user to execute various barrel-craft commands (e.g., barrel-craft, barrel-craft ./src/components, barrel-craft init, barrel-craft clean). These are direct COMMAND_EXECUTION instructions. While the commands themselves are for a specific tool and appear benign in context (file organization), the act of instructing the user to execute external commands is a security consideration.

No prompt injection, data exfiltration, obfuscation, privilege escalation, persistence mechanisms, metadata poisoning, or time-delayed/conditional attacks were detected within the skill's own content. The primary risk stems from the recommendation to install and execute an external, unverified tool.