Skill

The skill is an instruction-first Python-based security scanner and its requirements and behavior are coherent with that purpose.

This tool appears to do what it says: it reads a skill directory and flags dangerous patterns. Before using it, keep in mind: (1) it will read every file you point it at — don't scan directories that contain private keys or secrets you don't want loaded by a third-party script; run the scanner in an isolated/sandboxed environment if you are unsure. (2) The scanner intentionally suppresses or reduces severity for patterns inside strings, docs, and pattern-definition blocks (to avoid false positives). That behavior is reasonable for a scanner, but it can be abused by a malicious author who formats dangerous code to look like a pattern definition or comment — treat its 'A'/'B' grade as a starting point and manually inspect any high-sensitivity items the scanner flags, especially undeclared permissions (gateway, write, nodes, edit, etc.). (3) Reports embedded in the package appear to be snapshots (older version numbers in reports); prefer running the bundled scanner yourself rather than relying on packaged reports. Overall: the package is coherent with its purpose, but do manual review and run it in a safe environment when scanning untrusted skill directories.