shannon

SUSPICIOUS: the skill is internally aligned with its stated security-testing purpose, but that purpose itself grants an AI agent high-risk offensive capabilities against live systems and repos. The main concerns are autonomous security scanning, exploit validation, third-party npx/Docker execution, and credential forwarding during setup; this looks like a legitimate but dangerous security tool rather than confirmed malware.