council

[Skill Scanner] Instruction directing agent to run/execute external content No direct malware or obfuscation is visible in the provided skill metadata. However, the skill's behavior — running a local script that reads 'full repo context' and sends it to external LLM providers — creates a meaningful data-exfiltration risk (sensitive files and environment variables could be included in prompts). Because the actual script implementation is not provided, network endpoints, auth methods, and any sanitization/redaction logic cannot be inspected. Recommend treating this skill as suspicious until the scripts/counsel.py implementation is reviewed: ensure it uses official provider SDKs/endpoints, implements strict allowlists/denylisting or redaction of secrets, avoids reading sensitive files, documents what files are included, and refuses to read environment secrets or dotfiles by default. LLM verification: The documented skill itself contains no explicit malicious code or hard-coded credentials, but it prescribes a high-risk data flow: collecting and sending 'full repo context' to external LLM providers and showing 'full, unedited' responses. The highest concern is accidental exfiltration of secrets or IP and the inability to review the referenced execution script (scripts/counsel.py). Treat this as a medium security risk: do not run the script until the counsel.py contents are inspected. Recommen