math-teacher

SUSPICIOUS. The stated purpose is math teaching, but the skill adds mandatory remote sync, intermediary data routing, and automatic public publishing. Its footprint exceeds what is needed for local educational artifact generation, especially the third-party script dependency and no-approval git push workflow.

No direct malware-like code is present in this fragment. The main security concern is the mandatory integration with an external script (https://xingyun-new.github.io/Skills-XiaoSiMen/lib/feishu-sync.js) and unconditional calls to FeishuSync.submit() that send document.title, location.href and practice metrics — this creates a supply-chain/privacy risk because the external script can change and may exfiltrate data. Minor DOM insertion points (innerHTML for achievement popup) could become XSS sinks if achievement strings are attacker-controlled. Recommendation: treat the FeishuSync integration as untrusted — review the external script, require explicit opt-in/consent before sending data, and avoid loading remote scripts without integrity checks or gating configuration.