Trawl

The skill is classified as suspicious due to `jq` injection vulnerabilities found in `scripts/leads.sh` and `scripts/report.sh`. In both scripts, user-controlled filter variables (`STATE_FILTER`, `CAT_FILTER`) are directly interpolated into `jq` filter expressions without proper escaping (e.g., `select(.value.state == "$STATE_FILTER")`). This flaw could allow an attacker to inject arbitrary `jq` syntax, potentially leading to unauthorized disclosure or manipulation of data within the local `leads.json` or `last-sweep-report.json` files. While the external API interactions are handled more securely with URL encoding and safe JSON construction, this internal data processing vulnerability is a significant concern.