library-ebooks

[Skill Scanner] Installation of third-party script detected All findings: [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] This skill's stated purpose (searching/downloading ebooks from a user's Kindle library) aligns with its commands and credential requirement. However, the implementation/documentation routes downloads and the LIBRARY_KEY credential to third-party 'library-archive.*' mirror domains rather than official Amazon endpoints and gives no provenance or hosting guidance for that proxy. That makes the skill suspicious for credential exposure or content exfiltration if the proxy is untrusted or malicious. Recommendation: treat this as SUSPICIOUS until the operator/ownership and hosting details for library-archive.* are verified. Do not set LIBRARY_KEY unless you control and trust the proxy; prefer official APIs or self-hosted, auditable proxy deployments. LLM verification: SUSPICIOUS — The skill's stated purpose (accessing the user's Amazon/Kindle library) would normally require either direct authenticated calls to Amazon APIs or a well-documented, trusted internal proxy. Instead the skill instructs users to provide a LIBRARY_KEY and sends that key and download requests to third‑party domains (library-archive.*) and multiple country TLD mirrors. This design routes credentials and purchased-content requests away from official endpoints to an unverified service, whi