google-adk-typescript

[Skill Scanner] Instruction directing agent to run/execute external content This file is a benign documentation/quickstart for the Google ADK TypeScript SDK. It legitimately requests API keys and shows running npx/devtools and forwarding user input to model APIs; these behaviors are expected for this kind of SDK. No evidence of backdoors, credential-harvesting code, obfuscation, or malicious domains is present in the text provided. The primary security concerns are supply-chain execution (npx) and the normal privacy risks of sending user content and env-stored API keys to cloud model endpoints. Recommend treating API keys as secrets, auditing any installed packages before running npx, and avoiding sending sensitive data to models without safeguards. LLM verification: The file is non-malicious documentation and example code for Google ADK TypeScript usage. I found no explicit malware, hardcoded secrets, obfuscation, or suspicious network endpoints in the provided content. The primary security concern is supply-chain risk: unpinned dependencies and npx download-and-execute patterns can expose developers to compromised packages that could exfiltrate env-stored API keys or execute arbitrary code. Lack of guidance on secure secret management is an additional, low