pipes-abi

[Skill Scanner] [Documentation context] Backtick command substitution detected This skill is coherent with its stated purpose (ABI fetching, analysis, TS type generation, and schema hints). I found no embedded backdoor, hardcoded secret, or obfuscated malicious code in the skill text. The primary security concerns are supply-chain and execution risks: it instructs unpinned npx execution (npx @subsquid/evm-typegen@latest) and suggests running external CLI commands (curl, cast). Those are legitimate for the task but increase supply-chain risk if the invoked packages or commands are compromised or if an operator blindly runs arbitrary shell lines. Recommend: pin typegen versions, validate explorer responses, and avoid executing untrusted shell one-liners; restrict allowed-tools where possible. LLM verification: [LLM Escalated] The skill is functionally benign and matches its stated purpose of fetching and analyzing smart contract ABIs and generating TypeScript types and schema hints. I found no code-level signs of malware, hard-coded credentials, or obfuscated/backdoor behavior. The primary concerns are supply-chain and operational risks: unpinned remote tooling (npx @latest), use of shell/curl examples (download-and-execute patterns), missing ABI integrity verification, and potential inadvertent data sharing between