pandasai

[Skill Scanner] Installation of third-party script detected All findings: [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] Benign: The skill description is coherent with its stated purpose (conversational data analysis using PandasAI across DataFrames and multiple backends) and does not demonstrate malicious behavior or credential harvesting patterns. Some risk exists if deployments mishandle API keys or expose generated code or results containing sensitive data; however, the footprint is consistent with a legitimate data-analysis tooling concept. LLM verification: This SKILL.md is legitimate documentation demonstrating how to use PandasAI to query DataFrames via LLM backends. There is no evidence in the provided file of intentionally malicious code, obfuscation, or direct credential harvesting. The main security concerns are operational: unpinned pip installs (supply-chain risk), sending DataFrame contents to external LLM providers (sensitive-data exposure), and unclear cache behavior (local persistence of sensitive data). Recommendations: pin dependency