reviewing-python-libraries

[Skill Scanner] Installation of third-party script detected BENIGN. The fragment is a cohesive, non-executable guidance document for performing Python library reviews. It aligns with the stated goal of assessing library health, packaging, tests, security, and documentation. No malicious behavior, hidden data flows, or credential exposure are evident. The scope is proportionate to a manual review workflow and does not imply automated deployment or data exfiltration. LLM verification: The skill is functionally benign and useful for performing Python library reviews, but it omits critical operational safety guidance. The explicit instructions to install tools from PyPI without pins and to run pytest on cloned repositories create a practical supply-chain and RCE risk if executed on untrusted code from the internet or on non-isolated machines. Recommend updating the skill to require sandboxed execution, pinned or hashed installations, repository provenance checks, and network/cr