wiggum

[Skill Scanner] Instruction directing agent to run/execute external content The fragment presents a coherent, governance-focused autonomous development loop intended to promote plan-first, gated delivery with incremental commits and thorough validation. It is not inherently malicious; the primary concerns relate to the integrity and security of the external hooks/scripts and the implied environment where such automation runs. Treat as a well-structured blueprint that requires strong safeguards (signed hooks, code integrity checks, and explicit user authorization) to mitigate risks from hook-driven automation. LLM verification: The skill's text itself contains no explicit hardcoded secrets, obfuscated payloads, or obvious malicious commands. However, it requires installing and executing repository-provided shell scripts and a validation script that are not included in the reviewed fragment — this is a moderate supply-chain risk. If those referenced scripts are malicious or compromised, they could execute arbitrary commands, persist via git hooks, read sensitive files/environment variables, or exfiltrate data. Treat the