deepsec

The skill is purpose-aligned and appears to use the official Vercel DeepSec distribution, so it is not clearly malicious. It is still security-sensitive because it installs mutable dependencies, forwards environment credentials into an external AI-assisted scanner, and reads untrusted repo instructions before running a shell-capable agent. Overall classification: SUSPICIOUS due to medium-high operational risk, mainly from prompt-injection and AI security-tool execution rather than deceptive provenance.