skill-scanner

SUSPICIOUS: the stated purpose mostly matches the read/scan behavior, but the skill hardcodes an API token and transmits full local skill contents to a remote model endpoint whose exact public documentation could not be verified. The main risks are credential handling, external code/data exposure, and recursive analysis of untrusted skill content rather than confirmed malware.