gget

[Skill Scanner] Installation of third-party script detected All findings: [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] This document describes a legitimate, feature-rich bioinformatics CLI/package (gget). I found no direct evidence of malicious code or obfuscation in the provided documentation. However, there are notable security concerns: examples show passing sensitive credentials (COSMIC password, OpenAI api_key) on the command line which can leak via process listings or shell history; setup/download steps (AlphaFold model files, other DBs) lack stated provenance/checksums; and the package appears to run external binaries and downloads which increases supply‑chain risk depending on implementation and download endpoints. Before use in sensitive environments: inspect the actual implementation for where downloads are sourced, whether HTTPS + checksum/signature verification is used, how subprocesses are spawned and whether inputs are sanitized, and prefer env vars or credential files over CLI flags for secrets. LLM verification: The SKILL.md describes a legitimate multi-database bioinformatics toolkit with expected network-facing behavior. However, unpinned dependencies and non-standard installation pathways introduce notable supply-chain and reproducibility risks. Recommend adopting pinned dependencies (exact versions), using a requirements.txt with hash verification, providing an accompanying pyproject/poetry.lock or Pipfile.lock, and clearly documenting trust boundaries (source of dependencies, verified mirrors, and