gqllint

The skill bundle contains critical command injection vulnerabilities in 'scripts/license.sh' and 'scripts/analyzer.sh'. The 'extract_field' function in 'license.sh' parses JSON by interpolating the raw JWT payload directly into 'python3 -c' and 'node -e' command strings, allowing for remote code execution via a crafted license key. Additionally, 'scripts/dispatcher.sh' modifies local git configurations ('lefthook.yml') to execute scripts from the skill directory. While these behaviors align with the tool's stated purpose as a GraphQL security analyzer and license-restricted product, the lack of input sanitization on externally-influenced data (JWTs and config files) constitutes a high-risk security flaw.