specs

[Skill Scanner] Installation of third-party script detected Based on the provided SKILL.md content, the file is a benign prompt/skill manifest describing spec-driven development workflows and installing slash/prompt commands into agent config folders. It does not itself contain malicious code, obfuscated payloads, or suspicious network destinations. The main operational risk is that the /implement step gives agents the authority to generate and write code — which is appropriate for the stated purpose but requires that operators restrict agent permissions and review generated outputs. Recommend auditing the actual speckit package implementation (the code installed by npx/pip) and any agent runtime that will execute /implement before granting automated execution or broad repository permissions. LLM verification: The SKILL.md fragment itself contains no explicit malicious code, hard-coded secrets, or obfuscated payloads. However, its described functionality (installing slash-command templates into agent configuration folders and an `/speckit.implement` step that executes tasks to build features) requires high filesystem and execution privileges. Combined with an unpinned installation recommendation and lack of documented safeguards (no signing, no confirmation, no dry-run), this yields a moderate supply-