Skill Scanner

The skill's code and instructions are broadly consistent with a local static scanner, but the package provenance is unknown, some source text was truncated in the review, and there are small implementation/assurance gaps you should verify before trusting it.

This package appears to implement a local static scanner and a Streamlit UI that scans only the files you provide. Before installing or running it, do the following: 1) Verify the source/author — the registry metadata shows no homepage and the origin is unknown; prefer code from a trusted repo. 2) Inspect the full skill_scanner.py and streamlit_ui.py (the provided copy was truncated in places) to confirm there is no hidden behavior (network calls, code execution, auto-update). 3) Do not point the scanner at real secret stores or upload sensitive files to the web UI — it only looks for strings/patterns in files, but uploading sensitive data to a web UI increases exposure. 4) Run it in a sandbox or VM first and test on harmless sample skills to validate false-positive/negative behavior. 5) Note minor implementation issues (the UI references a format_markdown method and truncated code made it impossible to confirm all functions) — fix or review those before relying on automated CI gating. If you want higher assurance, ask the publisher for a canonical repo URL, full source, and a reproducible build or have a security-savvy reviewer audit the complete code.