Skill Scaffold

The `bin/skill-scaffold.js` script, which generates skill files, does not sanitize user-provided `description` and `author` inputs before embedding them into the generated `SKILL.md` and `README.md`. This lack of input sanitization creates a vulnerability where a malicious `description` could be crafted to perform prompt injection against an AI agent that subsequently reads the generated `SKILL.md`. While the tool itself does not exhibit malicious behavior, it facilitates the creation of vulnerable content, classifying it as suspicious due to this potential for downstream exploitation.