english-learner

Overall, this module is a local vocab/quiz manager that uses SQLite and local files. The strongest security/supply-chain concern is that it also modifies user home configuration files for other AI assistants/tools (e.g., .trae/.claude/.codex hooks/settings) by filtering/removing hook commands based on a skillId (partially shown). While the snippet does not show classic malware (no network exfiltration or process execution), the ability to silently change other tools’ behavior is an invasive and potentially sabotaging action. Additionally, there is a SQL pattern risk (template string table name) though it appears hardcoded here. Security risk is therefore elevated mainly due to filesystem tampering with third-party tool configs.