code-security-audit

SUSPICIOUS. The skill is internally coherent for a code security audit workflow, but it is inherently high risk because it equips an AI agent with offensive security scanning, command execution, Docker builds, and broad processing of untrusted repository content. No clear credential-harvesting or exfiltration behavior is present, so this is not confirmed malware; the main concern is powerful audit/pen-test capability plus moderate supply-chain and prompt-injection exposure.