Dice

The Dice skill bundle is a local logging utility for gaming statistics, but it contains a shell injection vulnerability in the `_search` function of `scripts/script.sh`, where the `$term` argument is passed unsanitized to `grep`. Furthermore, `SKILL.md` contains embedded shell commands (e.g., `du`, `cat`, `wc`) intended to be executed by the agent to report data size and entry counts. While these actions are consistent with the tool's stated purpose and no evidence of data exfiltration or intentional malice was found, the lack of input validation and the use of executable logic within markdown instructions pose a security risk.