interactive-study-guide

[Skill Scanner] Installation of third-party script detected No direct evidence of malicious code appears in the provided description. The main supply-chain concerns are (1) execution of a repository-provided scaffold script (scripts/scaffold.sh) whose contents are not shown, and (2) running npm install without pinned dependencies or a lockfile, allowing transitive or lifecycle-script abuse. Treat the scaffold and dependency installation as potentially risky: inspect scripts/scaffold.sh, require/produce a lockfile with pinned versions, audit postinstall scripts, and run installation/scaffolding in a sandbox or isolated environment before using on sensitive hosts. LLM verification: This skill's stated purpose and described capabilities are consistent: it converts a study-guide Markdown into a Vite-based interactive app and instructs scaffolding plus npm installs. There is no explicit malicious code in the provided text. However, it uses high-risk supply-chain patterns: an opaque scaffold script and unpinned dependency installation (npm install / npx vite). Those increase the chance of supply-chain compromise if the scaffold script or packages are malicious. Treat this as a