Skill Sharer

The skill's stated purpose (sanitized publishing of a local skill to a GitHub repo) matches the files and workflow, but important gaps and risks remain — the scripts perform filesystem and network operations (git push) without declared dependencies, no explicit credential handling is documented, and the actual sanitization behavior cannot be verified from the metadata alone.

Before installing or running this skill, review and test the included shell scripts in a safe environment: 1) open scripts/sanitize.sh and scripts/share-skill.sh and verify they don’t send data to external endpoints (curl/wget/netcat) or hard-code alternate remote URLs; 2) confirm the sanitization regexes/logic actually remove secrets (API keys, SSH strings, file paths) by running on sample data; 3) run the scripts against a disposable test repo to confirm commits/pushes go only to the intended remote; 4) ensure the workflow requires explicit human confirmation before any git push (or set disable-model-invocation if you don’t want autonomous runs); and 5) prefer running these scripts locally with your own vetted git credentials rather than granting any additional service tokens. If you cannot manually audit the scripts, treat this skill as higher risk and avoid installing it.