crypt-librarian

[Skill Scanner] Installation of third-party script detected This skill is conceptually benign for its declared purpose (film discovery, curation), but it carries moderate supply‑chain and privacy risks. The primary concerns are: (1) forwarding an EXA_API_KEY/credentials to external services (credential exposure risk); (2) reliance on external CLIs/scripts (Exa, Firecrawl) and unpinned pip installs (supply‑chain risk); (3) an autonomous agent that runs networked scraping on a schedule and writes to local databases (persistence and unnoticed data flows). I do not see explicit malicious code in the provided documentation, but the combination of credential forwarding, unpinned third‑party tools, and autonomous execution warrants caution. Recommendations: require user review before installing or running any scripts; pin dependencies and vet Exa/Firecrawl origins; minimize credential scope (use limited-scope API keys), and ensure the autonomous agent requires explicit opt‑in and provides transparent logs of external requests. LLM verification: This skill's documentation and workflow are largely coherent with its stated purpose (web-based film discovery and curation). The primary supply-chain/security concerns are: running unpinned pip installs, executing multiple local Python scripts (download-execute pattern), and autonomous periodic execution which increases attack surface. There is no explicit sign of malicious intent in the provided text, but the download-and-run pattern and lack of pinned dependencies represent a moderate supply-