code-splitter

The file is primarily a benign CLI wrapper that formats and writes analysis results. The most significant security issue is that it prepends a repository-local path (.claude/skills/code-splitter/scripts) to sys.path and imports modules from there, creating a local supply-chain / arbitrary code execution vector if that directory is writable or untrusted. There are no direct signs of network exfiltration, hard-coded credentials, or obfuscated malicious code within this file itself. A separate bug (undefined 'epilog') will cause a runtime error. Overall: safe to use only when the inserted directory and its modules are audited and trusted; otherwise treat this as a moderate supply-chain risk and inspect the imported modules before execution.