security-scanner

[Skill Scanner] Natural language instruction to download and install from URL detected This skill is a legitimate, utility-focused security scanning playbook. It contains appropriate commands and tooling for secret detection, dependency scanning, and static analysis. It does not itself perform credential harvesting or exfiltration. The primary risks are supply-chain hygiene issues: recommending installations from PyPI and GitHub releases without advising checksum/signature verification or pinned versions. Recommend adding guidance to verify tool integrity, pin tool versions, and run third-party scanners in isolated environments (CI runners or containers) to reduce supply-chain risk. LLM verification: The provided skill documentation and quick-scan script are consistent with a benign security-scanning purpose. No malicious code, credential exfiltration, obfuscated payloads, or hidden backdoors were found in the supplied content. The primary security concern is supply-chain risk from unpinned package installations and downloads of third-party binaries without verification. Mitigations: pin tool versions and hashes, require checksum/signature verification for binaries, recommend isolated execut