prompt-engineer

[Skill Scanner] Instruction directing agent to run/execute external content The manifest instructs immediate, unanalyzed execution of a local Python module from a hidden directory. That directive, combined with lack of provenance and absence of constraints, constitutes a significant supply-chain and operational risk: the invoked script could access secrets, modify files, or exfiltrate data. Treat this artifact as suspicious. Do not run it unreviewed; instead audit the invoked Python module, verify its source, and execute only in a sandbox with least privilege. LLM verification: The SKILL.md itself does not contain direct malware, but it instructs immediate execution of an opaque local Python module in a hidden directory and explicitly forbids prior analysis. That combination is a strong supply-chain risk: executing unknown local code can lead to credential theft, data exfiltration, or other malicious actions. Treat this skill as SUSPICIOUS: do not run the referenced script without code review and provenance verification. If you must run it, first inspect the .claude/sk