ask-a-human

[Skill Scanner] Natural language instruction to download and install from URL detected All findings: [CRITICAL] command_injection: Natural language instruction to download and install from URL detected (CI009) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] This skill is functionally consistent and appears benign in terms of malware or covert behavior: it simply documents how to send prompts and poll a third-party crowdsourcing API and requires an agent ID for authentication. The main security issue is privacy and data exposure risk: any prompt content sent will be visible to unknown humans and stored by the third-party service per their policies (not provided here). The documentation should explicitly warn not to include secrets, PII, proprietary code, or other confidential data, and should reference the service's data retention and privacy policies. No obfuscation or executable malware is present in the provided content. LLM verification: This skill's documented behavior is consistent with its purpose (crowdsourcing subjective judgments) and the capabilities described. The primary risk is privacy and data-exposure: prompts (which may contain sensitive information) and the X-Agent-ID are sent to a third-party service (api.ask-a-human.com). That is expected for this kind of integration but elevates the security/privacy risk — agents must avoid sending secrets and must treat stored question_id/prompt memory as sensitive. I find no s