setup

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill asks the user to paste Jira PAT/API token and then directs the agent to write those values verbatim into the opencode JSON (via the Write tool), which requires the LLM to handle and output secret values directly, creating an exfiltration risk.

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.70). Two links are to legitimate web interfaces (Atlassian's API token page and a corporate Jira instance), but the astral.sh/uv/install.sh is a direct shell installer (a downloadable .sh commonly used with curl | sh), which is an inherently risky distribution vector and should be verified before running.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The bundled setup script (reference/setup.sh) fetches and runs content from public third-party URLs—e.g., curling the GitLab releases API (https://gitlab.com/api/v4/...), downloading packages from cli.github.com, and piping the uv installer from https://astral.sh/uv/install.sh—which are untrusted external sources fetched and executed as part of the required setup workflow.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The bundled setup script is executed at runtime and explicitly runs curl -LsSf https://astral.sh/uv/install.sh | sh (and also downloads a glab .deb from gitlab.com to install), which fetches and executes remote code that the skill depends on for the uvx/glab installation.