zentao

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.80). The prompt includes an explicit CLI login example that passes account/password as command-line arguments (zentao-cli login --account "<账号>" --pwd "<密码>"), which encourages embedding secrets verbatim in commands and creates an exfiltration risk even though most tool calls use internal auth.

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.70). These are not direct .exe download links but include an unknown/placeholder domain (https://xxxxx.com/zentao), an internal-looking host (http://zentao.yourcompany.com/...), and a GitHub/npm author (chenish) that is not a well-known/trusted publisher — installing/running the referenced CLI or packages from these unverified sources could execute arbitrary code, so treat as moderately high risk.