google-devdocs

[Skill Scanner] Natural language instruction to download and install from URL detected All findings: [CRITICAL] command_injection: Natural language instruction to download and install from URL detected (CI009) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] This skill is coherent and consistent with its stated purpose: it instructs the agent to query the official Google Developer Knowledge API to search and fetch documentation snippets and Markdown pages. There are no signs of credential harvesting, third-party proxies, download-and-execute instructions, or obfuscated/malicious code. The primary security note is operational: the examples put the API key in the URL (key=...), which can expose the key in logs or process listings; using Authorization headers or avoiding storing keys in shell history would be safer. Overall the skill appears benign with low security risk.