docx

[Skill Scanner] Installation of third-party script detected All findings: [HIGH] supply_chain: Installation of third-party script detected (SC006) [AITech 9.1.4] [HIGH] supply_chain: Installation of third-party script detected (SC006) [AITech 9.1.4] [HIGH] supply_chain: Installation of third-party script detected (SC006) [AITech 9.1.4] [HIGH] supply_chain: Installation of third-party script detected (SC006) [AITech 9.1.4] [HIGH] supply_chain: Installation of third-party script detected (SC006) [AITech 9.1.4] This skill's capabilities are consistent with its stated purpose (creating, editing, and analyzing .docx files) and use standard local tools and libraries. There are no explicit malicious network calls, hard-coded credentials, or download-and-execute patterns. However, there are noteworthy risks: mandatory full-file reads (the repeated 'READ ENTIRE FILE' directives), global package installs, and execution of local unpack/pack scripts without sandboxing. These increase the potential for accidental or deliberate data exposure and supply-chain risk if the environment or scripts are compromised. Overall classification: not malicious code, but moderate supply-chain / data-exposure risk. Exercise caution: run in a sandbox, verify unpack/pack scripts and installed packages, and avoid global installs when possible. LLM verification: This skill's stated purpose (docx creation/editing/analysis) matches the described capabilities, but it includes several supply-chain and execution risks. The key concerns: mandatory execution of local unpack/pack Python scripts without verification, unpinned/global installs via apt/npm/pip, and repeated instructions to read entire large documentation files. These patterns increase the chance that malicious or compromised dependencies or scripts could execute on the host. I assess this skill as