typescript-backend-project-setup

[Skill Scanner] Credential file access detected All findings: [HIGH] data_exfiltration: Credential file access detected (DE002) [AITech 8.2.3] [HIGH] data_exfiltration: Credential file access detected (DE002) [AITech 8.2.3] [HIGH] data_exfiltration: Credential file access detected (DE002) [AITech 8.2.3] [HIGH] data_exfiltration: Credential file access detected (DE002) [AITech 8.2.3] [HIGH] supply_chain: Installation of third-party script detected (SC006) [AITech 9.1.4] [HIGH] data_exfiltration: Credential file access detected (DE002) [AITech 8.2.3] [HIGH] data_exfiltration: Credential file access detected (DE002) [AITech 8.2.3] Overall, the analysis indicates a benign, well-scoped scaffolding tool that enforces strict standards and AI guardrails for an NX monorepo. While the configuration discipline is aggressive, it is consistent with a governance-focused setup. Risks are mostly operational (path dependencies, potential loss of existing configs) rather than security or malware-driven. Recommend adding validation, opt-in strictness, and detailed change-log before applying overwrites in production environments. LLM verification: Verdict: SUSPICIOUS (not malicious by intent but medium-high supply-chain risk). The skill's functionality aligns with its stated purpose, but it contains multiple supply-chain and destructive patterns that raise security concerns: unpinned remote installs (npx/pnpm), executing remote scaffolding code, copying and enabling executable hooks from a user-supplied local path (which could inject arbitrary behavior), and instructions to fully overwrite config files without backup. These behaviors are