Safe Skill

The package is a mostly coherent, self-contained static scanner that matches its description, but there are prompt‑injection markers in the SKILL.md and features (Markdown downgrading of findings, remote fetch + disk write) that could be abused — review before running, especially against untrusted targets.

This skill appears to implement what it advertises (a self-contained static scanner). However: 1) open and read SKILL.md and README.md in a text editor that shows hidden characters — the manifest contained prompt-injection patterns and unicode control chars that could be used to influence an agent; 2) the fetcher will download arbitrary remote repositories and write them to disk for analysis — run the scanner in an isolated environment (sandbox, VM, or CI runner) and do not give it elevated privileges or access to sensitive mounts; 3) the scanner auto-downgrades findings under certain Markdown headings — this can reduce false positives but can also hide malicious examples if abused, so manually review MEDIUM+ and HIGH findings rather than trusting the automated downgrade; 4) only provide a GITHUB_TOKEN with minimal scopes if you need to avoid rate limits; 5) if you plan to let an agent invoke this skill autonomously, consider restricting invocation or reviewing logs, because a compromised scanner that is permitted to fetch remote content has higher impact. If you want higher assurance, run the bundled scripts locally on a throwaway machine and audit the code paths that write files or invoke subprocesses (scan.py imports subprocess and parses many patterns).