android-slim-bindings

[Skill Scanner] URL pointing to executable file detected All findings: [CRITICAL] command_injection: URL pointing to executable file detected (CI010) [AITech 9.1.4] [CRITICAL] command_injection: Destructive bash command detected (rm -rf, chmod 777) (CI004) [AITech 9.1.4] [CRITICAL] command_injection: URL pointing to executable file detected (CI010) [AITech 9.1.4] [CRITICAL] command_injection: Destructive bash command detected (rm -rf, chmod 777) (CI004) [AITech 9.1.4] [CRITICAL] command_injection: URL pointing to executable file detected (CI010) [AITech 9.1.4] [HIGH] data_exfiltration: Credential file access detected (DE002) [AITech 8.2.3] [HIGH] data_exfiltration: Credential file access detected (DE002) [AITech 8.2.3] [HIGH] data_exfiltration: Credential file access detected (DE002) [AITech 8.2.3] This SKILL.md and the included scripts/templates are coherent with the stated purpose of creating slim Android bindings for .NET. I found no evidence of intentional malicious behavior in the provided content. The primary supply-chain and privacy risks are: (1) executing downloaded build tooling (Gradle wrapper) and cloning template repositories — normal for builds but inherently trust-based; and (2) logging sensitive configuration values (apiKey printed to Log.d). Overall this appears to be a legitimate, functional binding template and guide, but users should follow best practices (pin/template commit hashes, avoid logging secrets, verify downloads) to reduce supply-chain risk. LLM verification: This AI Agent Skill is generally consistent with its stated purpose: guiding creation of slim Android bindings for .NET. I found no clear malicious code or hidden backdoors in the provided documentation. However, the skill contains risky example shell commands ('rm -rf', 'chmod 777') and network-download instructions that, if copy/pasted without verification, can lead to destructive or insecure outcomes. The Gradle distribution downloads come from a legitimate domain (services.gradle.org), but a