skill-gap-analyzer

The skill's stated purpose (detecting missing project skills and generating SKILL.md templates) aligns with most of its capabilities (reading requirements, listing skills, creating files). However, the enforced MCP Code Execution pattern is disproportionate relative to a simple skill-generator because it mandates generated skills run code in external execution environments (servers/, workspace/) and frequently targets integrations that require credentials. That design increases risk of credential exposure, arbitrary code execution, and supply-chain or exfiltration vectors if generated artifacts are later executed or configured to call attacker-controlled services. There are moderate filesystem and autonomy risks due to allowed Bash and write operations, but there is no direct evidence in this fragment of downloads, hardcoded exfiltration endpoints, or obfuscation. Overall this is not clearly malicious but presents a meaningful supply-chain/security risk (credential forwarding and remote code execution surface) that requires careful operational controls, reviewed code generation, and explicit secure auth patterns before use.