cc4d

[Skill Scanner] Installation of third-party script detected All findings: [HIGH] supply_chain: Installation of third-party script detected (SC006) [AITech 9.1.4] [HIGH] skill_discovery_abuse: System prompt extraction attempt (SD002) [AITech 4.3] BENIGN: The content is a descriptive, user-driven workflow guide with no executable code, secrets, or network/data leakage behavior in isolation. Risk primarily depends on the proper secure execution of the referenced scripts in a trusted environment. LLM verification: This skill's stated purpose (guide non-technical users through building and deploying a project) is plausible and many requested capabilities match that purpose (reading/writing a progress file, scaffolding code, running builds, deploying). However, the skill prescribes unpinned remote installs (npm / npx), CLI-driven deployments (vercel), and an explicit 'dangerously-skip-permissions' Build mode that gives the agent broad, unsandboxed tool access. Those patterns materially increase supply-chain