spec-driven-development

[Skill Scanner] Code execution from unpinned remote source (uvx/pipx + git URL) Benign documentation artifact with clear guidance on Spec-Driven Development using GitHub spec-kit. Primary risk is reliance on external tooling for execution, which is standard for OSS workflow tools. No malicious behavior detected within the fragment itself. LLM verification: This SKILL.md is primarily documentation for using GitHub's spec-kit (specify CLI) and does not itself contain malicious code or direct data-exfiltration behavior. However, it instructs unpinned installation of a third-party CLI from a remote git URL and relies on runtime-installed agent configuration (.github/agents, .claude/) which can influence AI agent behavior. That download-and-execute pattern is a supply-chain risk: if the upstream repository or generated agent files are compromised, an a