Kekik Crawler

The skill is a web crawler that performs legitimate web fetching and local file storage. However, it is classified as 'suspicious' due to a significant Remote Code Execution (RCE) vulnerability. The `core/plugin_manager.py` module dynamically loads Python files from a user-specified `plugin_dir` (via `importlib.util.spec_from_file_location` and `spec.loader.exec_module`). While the default `plugin_dir` is 'plugins/' within the skill bundle, an attacker who can control the `--plugins` argument in `main.py` could point it to an arbitrary directory containing malicious Python code, leading to arbitrary code execution. There is no evidence of intentional malicious behavior such as data exfiltration, persistence, or prompt injection against the agent in the provided code or documentation.