maldives-island-picker

The skill utilizes risky capabilities including shell command execution via `npx`, web searching, and file system access, which are plausibly required for its stated purpose but represent significant attack surfaces. While `SKILL.md` includes proactive security instructions for the AI agent to perform input sanitization and whitelisting to prevent shell injection, the reliance on external CLI tools and the potential for SSRF in the `scripts/export-pdf.py` script (via `weasyprint` processing external content) are inherent vulnerabilities. No evidence of intentional malice, data exfiltration, or obfuscation was found.