quark-download-skill

[Skill Scanner] Backtick command substitution detected Based on the documentation, the skill's capabilities align with its stated purpose and there are no direct signs of malware in the specification itself. However, there are privacy and supply-chain risks: searches and validation are routed through a third-party aggregator (PanSou), which could collect user queries and share metadata; the skill may request extraction codes (sensitive) and uses an unauthenticated local Quark API, increasing local risk surface. Because the actual CLI script source was not provided, there is uncertainty whether it transmits sensitive data beyond the documented endpoints. Overall the package is SUSPICIOUS from a privacy/supply-chain perspective but not overtly malicious based on available information — review the actual script before use. LLM verification: No explicit malware or obfuscated malicious code is evident in the provided SKILL.md documentation. The behavior described is largely consistent with the stated purpose (search + validate + save to local Quark APP). However, there are privacy and supply‑chain concerns: the skill routes searches/validations through a third‑party aggregator (PanSou) which could collect search terms and share IDs; the doc claims the local Quark API requires no authentication which, if true, exposes an unauthenticat