statusline-generator

[Skill Scanner] Backtick command substitution detected All findings: [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] At the manifest/documentation level this skill is coherent with its stated purpose (statusline generation, git integration, optional ccusage cost display). There are no clear malicious instructions or hardcoded secrets in the provided text. However, the install model requires executing local shell scripts and overwriting/adding a script under ~/.claude that the Claude client will run; because the actual scripts (scripts/install_statusline.sh and scripts/generate_statusline.sh) were not provided for review, there is a non-trivial supply-chain risk. Recommend inspecting the contents of those scripts before running the installer, and verifying ccusage’s provenance if you enable cost tracking. Overall: functional and plausible, but treat the installer scripts as untrusted until audited. LLM verification: The SKILL.md documentation itself appears benign and internally consistent: requested commands and file access align with the stated purpose (statusline, ccusage, git). There is no evidence in the provided document of credential harvesting, network exfiltration, obfuscation, or malicious code. The main security concern is procedural: the documentation instructs running shell installer scripts whose contents are not included — any install script run as bash without inspection is a supply-chain ri