web-claude

The skill is classified as suspicious due to significant vulnerabilities that could lead to remote code execution (RCE) and arbitrary file writes. The `python -c` command used for DuckDuckGo search in SKILL.md presents a shell/Python injection risk if the search query is not properly sanitized. Additionally, the auto-caching feature, which creates files with `[keyword]` derived from the search query in `memory/research/`, introduces a path traversal or arbitrary file write vulnerability if the keyword is not sanitized. While the skill's stated purpose is benign, these implementation flaws allow for potential exploitation, classifying it as suspicious rather than malicious, as there's no clear evidence of intentional harmful design.