security-scan

The file describes a legitimate pre-commit security scanning skill: grep-based secret detection, language-specific vulnerability audits, injection pattern checks, and gating behavior to halt commits on critical findings. There is no direct evidence of malware or obfuscated payloads in the provided content. The primary concerns are operational: an explicit prohibition on manual scans (which discourages independent verification) and the reliance on third-party tooling/containers (which should be pinned and audited). Recommend: allow use after removing or clarifying the prohibition on manual scanning, pin and document versions/digests for any third-party containers/tools, and make halt policies auditable and configurable.