mcp-to-skill

[Skill Scanner] Instruction to copy/paste content into terminal detected All findings: [CRITICAL] command_injection: Instruction to copy/paste content into terminal detected (CI012) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] The workflow and helper-script approach accomplish the intended conversion goal but include multiple supply-chain and operational security concerns: unpinned npx usage (automatic remote code execution), substitution and persistence of environment-variable secrets to disk without secure handling, and explicit guidance to execute commands directly without prior confirmation. These make accidental or intentional secret exposure and unintended network actions more likely. I do not see explicit malicious code in the provided material, but prior to running this workflow in sensitive environments you should: (1) inspect and pin the mcp-to-skill package and its dependencies, (2) review the exact exec-with-env.sh implementation for unsafe shell usage or exfiltration, (3) avoid writing plaintext secrets to persistent locations (use in-memory substitution or secure temporary files and immediately scrub), (4) prefer an explicit confirmation step before executing tool commands that may contact external endpoints, and (5) run generation/execution in an isolated environment or CI with limited privileges. LLM verification: This skill performs functionality that is consistent with converting MCP configs into agent skills, but it carries non-trivial supply-chain and secret-exfiltration risks. Major concerns: use of npx -y (un pinned, auto-download-and-execute), the design to resolve and inject host environment variables into generated configs and then directly execute external tools, and the explicit guidance to 'execute directly' without user confirmation. Without seeing exec-with-env.sh content, it's impossible to