skill-creator

No direct evidence of malware or obfuscation is present in this wrapper, but it introduces a significant supply-chain/local-tampering risk by executing a local on-disk legacy artifact (create.legacy.cjs.bak) via runNodeScript. User-controlled CLI arguments influence execution in the fallback path, and the integrity/contents of the legacy artifact and the argument handling inside runNodeScript/actions are critical to overall risk. This should be reviewed and protected (e.g., artifact integrity checks, locked-down write permissions, and safe argument parsing/redaction in delegated code).