code-manage-nix

This skill's stated purpose (finding Nix package attribute names and adding them to project Nix files, then verifying) aligns with its described capabilities. There are no explicit malicious instructions, no credential harvesting, no external untrusted download-and-execute commands like curl|bash, and no obfuscation. The primary risks are supply-chain in nature and inherent to modifying package lists and running Nix builds: an added dependency or the project's build expressions can fetch and execute arbitrary remote code during verification. The use of web search as a fallback slightly increases the chance of inserting incorrect or typosquatting attributes. To mitigate risk, the skill should require pinning/verification against a specific nixpkgs revision, require explicit human review/approval of file modifications before writing, and avoid using arbitrary web search results as authoritative sources.