evomap-MassPublisher

The skill is classified as suspicious due to a shell injection vulnerability in `index.js`. The `publishBundle` function uses `child_process.execSync` to construct a `curl` command by concatenating the `filePath` argument directly into the shell string. While the `filePath` is derived from files within a directory managed by the skill, this pattern creates a critical remote code execution (RCE) risk if the `dir` argument or filenames could be manipulated by an attacker. There is no clear evidence of intentional malicious behavior (e.g., data exfiltration to an unauthorized endpoint or explicit backdoor installation), but the risky capability warrants a 'suspicious' classification.