cloud-uploader

[Skill Scanner] Backtick command substitution detected All findings: [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] No direct malicious indicators are present in this SKILL.md fragment: the capabilities (reading local files and credentials, running a Python upload script, using boto3 to upload to S3/R2) are consistent with the declared purpose of uploading promo videos to cloud storage. However, there are moderate supply-chain and credential-handling risks: credentials are expected in a plaintext config file, execution relies on a local upload_to_cloud.py (not provided) which must be audited to ensure it only calls official S3/R2 APIs and does not exfiltrate secrets, and dependencies (boto3) are installed via pip (unpinned). I rate this as not malicious but with a medium security risk that requires verifying the actual upload script and securing the credential file and dependency installation. LLM verification: This SKILL.md appears to be a legitimate, well-scoped documentation for uploading promo videos to Cloudflare R2 or AWS S3. There are no direct indicators of malicious behavior in the provided text. However, there are moderate supply-chain and operational risks: credentials are held in a local plaintext YAML file; the docs recommend an unpinned boto3 install; and the workflow runs a plugin-supplied Python uploader script (upload_to_cloud.py) that would receive credentials and access local media f