Selection Agent

The skill bundle contains highly risky instructions in SKILL.md that direct the AI agent to execute a Python script from a temporary directory (/tmp/powerful-trendplus/scripts/run_full_research.py) and source local environment variables (.env.local). It explicitly mentions that sensitive tokens and API keys (Semrush, FB_ADS_TOKEN, NOTION_API_KEY, GEMINI_API_KEY) are stored in these local files. While these behaviors facilitate arbitrary code execution and potential credential access, the lack of the actual script payload or explicit exfiltration logic makes it impossible to confirm malicious intent versus extremely poor security practices for a research tool.