Don’t run untrusted skills blind.

Paste a public GitHub skill link. We’ll fetch source, run a quick static scan, and return a Low / Medium / High verdict with line-level evidence.

This does not prove safety — it catches common “don’t run this” patterns fast.

• • Evidence-first findings: file + line snippets
• • Developer edge: flags exec/eval, outbound domains, secret access
• • GitHub-only: public repos, no installs