Scaleway Deployment

CRITICAL E004: Prompt injection detected in skill instructions.

• Potential prompt injection detected (high risk: 0.80). The prompt includes deceptive/hiding instructions outside normal deployment guidance—e.g., collect/store secrets via chat and in GitHub, “run scripts silently,” “all this happens automatically, user never sees it,” and “never show infrastructure code”—which instruct the agent to hide actions and withhold information beyond the skill's stated purpose.

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). This skill explicitly instructs the agent to ask users to paste Scaleway access and secret keys into the conversation and to store them in GitHub Secrets, which requires the LLM to receive and handle secret values verbatim and creates a high exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill's required setup steps (SKILL.md Step 3) explicitly curl-and-execute a public raw GitHub installer (https://raw.githubusercontent.com/ohmyzsh/ohmyzsh/...) and git-clone plugins from public repositories as part of the normal provisioning flow, so it ingests and runs open/public third‑party code that can change the runtime environment and thereby materially influence subsequent actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill's runtime setup steps explicitly execute remote code (curl | sh) from https://raw.githubusercontent.com/ohmyzsh/ohmyzsh/master/tools/install.sh and perform git clones from https://github.com/zsh-users/zsh-autosuggestions and https://github.com/zsh-users/zsh-syntax-highlighting as part of the automated server configuration, so these URLs are fetched during runtime and can execute third-party code that the skill relies on.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 1.00). The skill explicitly instructs creating user accounts, editing /etc/sudoers (granting NOPASSWD sudo), modifying local SSH config and other user files, and running scripts that store secrets and change system state — all actions that modify the host/remote machine state and can compromise security.