QA Reviewer

What to consider before installing/using this skill: - Source and provenance: the skill's Source/Homepage are unknown and the package repo URL in package.json should be verified (may not exist). Be cautious installing skills from unknown maintainers. - Missing referenced script: SKILL.md/README reference generate_report.sh but that file is not present—expect minor documentation drift or a packaging error; verify intended behavior before relying on it. - Test execution risk: run_tests.sh can compile and execute project tests (cmake/make or pytest). If the project contains untrusted code or malicious test runners, executing tests can run arbitrary code on your machine. This is expected for a testing tool but is a security risk when used on unknown repositories. - Recommended mitigations: - Inspect scripts (scripts/*.sh) yourself before running. They are simple and readable here, but still review any changes in future versions. - Run the scripts in an isolated environment (container, VM, sandbox) or on a CI runner with limited privileges when scanning untrusted projects. - Verify the repository URL and maintainer identity; prefer skills from known/trusted publishers. - If you only need static analysis or report generation, consider running code_review.sh only (it mostly greps/finds and writes a markdown report) instead of running compiled tests. - If you want higher assurance: request the maintainer to add the missing generate_report.sh or clarify docs, and provide a signed repository or official homepage.