sast-idor

SUSPICIOUS/HIGH-RISK capability but not malware: the skill is internally consistent as a SAST IDOR detector and has no external installs, credential harvesting, or exfiltration paths. Its main risk is that it provides offensive security analysis capability to an AI agent and processes untrusted repository content while writing reports via autonomous subagents.