project-docs

The project-docs skill is a legitimate documentation generator with expected capabilities to read project files and write documentation. I found no malicious code patterns, hard-coded credentials, or obfuscated payloads in the provided content. Primary security concerns are operational: the inclusion of a 'Bash' tool and unrestricted filesystem reads can expose secrets (e.g., .env, .npmrc) if the agent runtime has broad permissions, and there are no explicit redaction or file-scope safeguards in the templates. Recommendations: run analysis in a restricted sandbox scoped to the project directory, implement deny-listing of common secret files and redaction of sensitive values before writing or returning docs, and limit or audit Bash usage (or replace with safe high-level file inspection APIs).