claude-code-plugin

[Skill Scanner] Installation of third-party script detected All findings: [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [CRITICAL] command_injection: Destructive bash command detected (rm -rf, chmod 777) (CI004) [AITech 9.1.4] The material is internally consistent with its stated purpose of guiding plugin development and lifecycle management. It does not exhibit malicious behavior, unclear data flows, or credential harvesting patterns within the provided content. It should be considered benign guidance documentation for legitimate plugin ecosystems. LLM verification: The code fragment is a documentation artifact (a comprehensive guide) rather than an executable library. Purpose-to-capability alignment is good: it explains plugin architecture and release workflows as claimed. The main concern is the presence of dangerous command examples (rm -rf, chmod 777) and npm install in an illustrative context; these are potentially hazardous if copied into automation without safeguards. Treat as SUSPICIOUS due to potential for misuse if copied into automation; otherwis