ai-integration

[Skill Scanner] Installation of third-party script detected All findings: [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] This skill appears to be a legitimate, well-structured AI integration scaffold. Its requested capabilities, environment variables, installed packages, and network calls are consistent with the stated purpose of adding chat, streaming, RAG, embeddings, vector search, and tool-calling support. There are no clear signs of malicious behavior in the provided files. Main caution points: (1) many external credentials are required — protect them in CI/CD and avoid committing them; (2) inspect the referenced validation script before running; (3) be mindful when evaluating user-provided content (calculator) and when calling external third-party APIs (weather) — apply rate-limiting, input sanitization, and error handling as recommended in the doc. LLM verification: The artifact is a documentation-driven AI integration skill with templates and guidance for implementing AI features. It is largely benign and aligned with its purpose, though it introduces moderate risk if the automation incorrectly executes unpinned installs or misuses code snippets. Recommend treating as guidance, pinning dependencies, validating sources, and ensuring environment-secrets are managed securely. No evidence of active malware or data exfiltration in the artifact.