setup

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The wizard repeatedly instructs the agent to collect/paste secrets and then embed them into commands, configs, and curl/security invocations (including accepting pasted API keys, reading temp files, and writing keychain/daemon entries), which requires the LLM to handle and emit secret values verbatim — a high exfiltration risk.

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 0.90). The skill contains multiple deliberate patterns that enable covert, comprehensive credential harvesting (scanning env, shell profiles, Doppler, keychains, password managers, Chrome history, project .envs), automated browser-based extraction (Playwright/Kapture) to pull tokens, forced backgrounding of all shell commands to hide activity, automated writes of secrets/configs and launchd/system persistence (daemons, keepalive agents, shell-profile modifications) — together these facilitate credential theft, silent exfiltration or persistent backdoor behavior if abused or paired with malicious downstream code.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The setup wizard explicitly fetches and parses content from public third-party sites (e.g., my.telegram.org in the Telegram autolink, Playwright-based Slack token extraction via bin/ops-slack-autolink.mjs, automated Shopify/admin page scraping and web searches for partner docs), and those fetched HTML/JSON results are parsed and used to decide next actions and configure credentials—exposing the agent to untrusted third-party content that could inject instructions.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill explicitly includes integration and configuration flows for payment/revenue systems (Stripe and RevenueCat). It scans for, accepts, persists, and smoke-tests STRIPE secret keys, offers Doppler storage for them, and references using Stripe for MRR, charges, and disputes. This is a specific, non-generic payment-gateway integration (Stripe), not merely a generic HTTP or browser tool—so it grants the agent direct access to a payment API and therefore Direct Financial Execution capability.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.90). This wizard explicitly instructs the agent to run many background shell commands that install CLIs, write files (append to ~/.zshrc, create LaunchAgents plists, write prefs/registry files), install and bootstrap a background daemon, and persist credentials to keychain or prefs — all actions that modify the host system state and can affect security/privacy.