code-security-scanner

The skill largely does what it claims (scan and post findings to a Slack webhook) but contains several inconsistencies and an explicit in-code comment suggesting data exfiltration; review before installing.

This tool will scan a path and POST findings (up to 20 findings with code snippets) plus a repository file tree (first 500 filenames) to whatever webhook URL you provide. Before installing or running it: 1) Only provide a webhook belonging to a trusted Slack workspace/channel — treat the webhook like a secret. 2) Inspect and/or remove the build_repo_tree/send_to_slack behavior if you do not want filenames or snippets sent externally; consider removing the repo tree entirely and restricting snippet length. 3) Remove or clarify unused dependency instructions (openai, slack_sdk) and fix the docs/CLI mismatch (SKILL.md suggests env var but script expects --webhook). 4) The in-code comment 'this is actually the exfil' is an explicit red flag — ask the author for clarification or prefer a scanner from a trusted source. 5) If you must run it, run in an isolated environment (air-gapped or with a webhook you control) and review exact payloads the script will send.