moru-python

[Skill Scanner] Installation of third-party script detected All findings: [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] This skill documentation is coherent and aligned with its stated purpose: controlling Moru cloud sandboxes from Python. I find no evidence in the provided text of malicious code or intent. The real risks arise from the capabilities described (running arbitrary commands, enabling internet access, persistent volumes, and exposing public URLs). Consumers should treat these as operational security concerns: do not run untrusted code without isolation policies, avoid placing sensitive credentials inside sandboxes or persistent volumes, restrict allow_internet_access when not needed, and protect MORU_API_KEY. If you need to be cautious about supply-chain trust, verify the pip package source and the maintainer's reputation before installing. LLM verification: The SKILL.md content documents a high-power sandboxing SDK. Its capabilities (command execution, file I/O, volumes, root user, internet access, exposing public URLs, and building templates from local files) are consistent with the stated purpose of running and managing isolated sandboxes, but they are inherently high-risk and require careful use. I found no explicit malicious code patterns, hardcoded secrets, or obfuscated payloads in this documentation. However, supply-chain hygiene concerns ex