learn-agentfactory

[Skill Scanner] Skill instructions include directives to hide actions from user The fragment describes a coherent, purpose-aligned tutoring skill intended to guide learners through a structured blended-discovery process using controlled API interactions and local state persistence. The workflow is plausible for legitimate educational tooling and does not exhibit clear malicious patterns such as arbitrary downloads, credential harvesting, or autonomous real-world actions. Some risk remains around auth/token handling and local data persistence in user environments, but there is no evidence of malicious intent or actions within this fragment. LLM verification: This SKILL.md appears functionally consistent with its stated purpose (a blended-discovery tutor) — it requests access to learner files, environment URLs, and local helper scripts, which are proportionate to personalization and API-driven lesson fetching. The main security concern is not the SKILL.md text itself but the external scripts it mandates (scripts/api.py and scripts/auth.py) and the persistent caches of lessons and tokens: if those scripts are untrusted or if cached files are stored in