bash-script-validator

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill's response template and fix steps require including exact code snippets from the target script (problematic snippet and corrected snippet), so if those scripts contain API keys, tokens, or passwords the LLM will be required to reproduce them verbatim in its output.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The scripts/shellcheck_wrapper.sh installs and runs shellcheck-py at runtime via pip3 (i.e. fetching the package from PyPI — e.g. https://pypi.org/project/shellcheck-py/), which results in remote code being downloaded and executed as a required fallback for ShellCheck, so this is a runtime external dependency that can execute code.