pica

[Skill Scanner] Installation of third-party script detected All findings: [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [CRITICAL] command_injection: Natural language instruction to download and install from URL detected (CI009) [AITech 9.1.4] The skill correctly documents a workflow to operate integrations via Pica and contains no explicit malicious code or obfuscation. The primary security concern is architectural: all integration traffic, action payloads, and connection metadata flow through a third-party passthrough proxy (app.picaos.com). That centralization concentrates sensitive data and increases supply-chain/trust risk. For general usage this is likely acceptable, but for sensitive or high-compliance environments this design requires additional vetting (security posture, audit logs, credential scoping, retention policies, possibly private deployments). No immediate indicators of malware were found in the provided text. LLM verification: The skill text is consistent with an integration-broker design that intentionally centralizes platform integrations through Pica. There is no direct evidence of obfuscated or overtly malicious code in the provided file. The primary security concern is the architectural centralization of OAuth tokens, connection keys, and action payloads at a third party (Pica). This creates a significant trust and attack surface: if Pica or its infrastructure is compromised or malicious, user tokens and data cou