agent-code-analyzer

This skill (agent manifest) is conceptually benign: it defines a code-analysis agent whose responsibilities and memory keys align with the stated purpose. The primary security concern is supply-chain: the manifest invokes 'npx claude-flow@alpha' in hooks, which downloads and executes unpinned pre-release code. That pattern creates a tangible risk (remote code execution via npm install) and a transitive trust chain; if the claude-flow package or its dependencies are compromised, project files or analysis results could be exposed or modified. No direct evidence of credential harvesting, obfuscated or malicious code is present in the manifest itself, and it does not request explicit system secrets. Recommended mitigations: avoid running unpinned or pre-release packages in hooks, require pinned, verified package versions (with checksums), restrict hook execution to audited environments, and audit the claude-flow package and its dependencies before allowing these hooks to run in CI or on sensitive repositories.