animate

This skill's stated purpose (scaffold and generate small animation projects) aligns with the described capabilities. The primary security concerns are supply-chain and execution risks: it requires running a local scaffold script and npm install/npm run dev (which may run untrusted package lifecycle scripts) and optionally reads GEMINI_API_KEY to send user-provided descriptions to the Gemini API. Those behaviors are plausible for the feature set, but they increase attack surface if templates, scaffold scripts, or npm dependencies are untrusted or tampered with. Recommend: treat scaffold.sh and the template directory as sensitive/trusted artifacts, prefer using pinned package versions and lockfiles in generated projects, document clearly that providing GEMINI_API_KEY sends content to an external API, and restrict agent tooling rights in production to reduce risk.