node-dev

[Skill Scanner] [Documentation context] Credential file access detected BENIGN. The skill fragment is a coherent, non-executable guide for JavaScript/TypeScript development workflows, tooling configuration, and monorepo practices. There are no evident supply-chain attack patterns, credential handling, or external data flows. The documented instructions (e.g., pnpm commands, linting, git hooks) align with legitimate development processes and do not introduce risky behavior within the fragment itself. LLM verification: [LLM Escalated] This skill is documentation for Node/JS development and is not itself malicious. However, it contains supply-chain risk patterns: the pre-commit hook that runs package installation and npx commands, unpinned dependency installs, and mention of local config paths. These increase the chance that third-party code could be executed on developer machines or that future dependency changes could introduce malicious code. Recommend: remove automatic installs from git hooks, require pinned/locked depende