alexa-cli

[Skill Scanner] Natural language instruction to download and install from URL detected All findings: [CRITICAL] command_injection: Natural language instruction to download and install from URL detected (CI009) [AITech 9.1.4] [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] This skill/CLI appears to be a plausible third-party tool for controlling Alexa devices. The documented capabilities match its stated purpose. The main security concerns are: (1) it uses an 'unofficial Amazon API' which requires careful scrutiny of how credentials are obtained, stored, and where network requests are sent; and (2) it has high-impact capabilities (announcements and device control) that rely on sensitive tokens. Because the README does not disclose credential handling or exact endpoints, I rate this as a moderate security risk — review the implementation code before use, confirm that authentication happens directly with Amazon endpoints, and verify secure storage of tokens. LLM verification: No direct malicious code is present in this SKILL.md file itself; it's a documentation/integration guide that points to an external GitHub project (alexacli). Primary concerns are supply-chain and credential-handling risks: the instructions ask users to install unpinned code from a third-party repo and the tool uses an "unofficial Amazon API," which can require scraping or handling session tokens. Before trusting and installing the tool, reviewers should inspect the actual repository code for ho