dibbla

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt contains explicit examples and instructions that place API tokens and secrets inline (e.g., dibbla login --api-key <token>, dibbla deploy ... -e API_KEY=secret, and writing DIBBLA_API_TOKEN into .env), which can require the agent to echo or embed secret values verbatim in generated commands or files.

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.85). They include direct links to install.ps1 and install.sh on an unverified domain — remote install scripts (curl|sh or PowerShell IEX) are a high-risk distribution vector unless you verify the publisher and inspect the scripts; api.dibbla.net itself is just an API endpoint and not inherently dangerous.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill explicitly documents network fetch-and-execute behavior (e.g., "dibbla run fetches and executes a yaml from the network" and template/install flows that fetch bootstrap yamls and a public manifest from raw.githubusercontent.com), so agents will fetch and act on arbitrary public URLs whose untrusted content can change tool behavior.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The skill explicitly documents runtime fetching-and-execution of remote task files (dibbla run ) — e.g. https://raw.githubusercontent.com/dibbla-agents/dibbla-public-templates/master/getting-started.dibbla-task.yaml (and installer scripts such as https://install.dibbla.com/install.sh) — which are fetched at runtime and executed (equivalent to curl | bash), so the external URL content can directly execute code.