security-audit-quick

The skill is a useful, deterministic grep-based static scanner and does not itself contain malicious code or remote dependencies. The main security concern is operational: the inclusion of Bash in allowed-tools combined with no explicit exclusions for sensitive files increases the risk that an agent (or a malicious prompt) could execute shell commands that read or exfiltrate secrets. If executed in a properly sandboxed, network-isolated environment and with explicit sensitive-path exclusions (and optional masking of matches), the tool is low-risk and valuable. Without those controls, use of this skill in an untrusted runtime presents a moderate security risk.