cloud-deployment-expert

[Skill Scanner] Installation of third-party script detected All findings: [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] This is a deployment/infrastructure guide that is functionally consistent with its purpose. It does not contain explicit malicious code or obfuscated malware, but it includes several insecure patterns that raise supply-chain and operational risk: executing a remote install script via curl|bash without verification, cloning and building an arbitrary repository (which can execute untrusted code), storing secrets in plaintext .env files, and mounting host certificates into containers. These are common in deployment guides but require careful operational controls (verify scripts, use SSH keys and non-root users, use secret management, restrict file permissions and container privileges). Overall, I assess this document as benign in intent but carrying moderate security risk if followed without hardening and verification. LLM verification: This skill is functionally aligned with its stated purpose (cloud deployment instructions) and does not contain embedded malicious code. However it recommends several risky operational practices: executing a remote setup script via curl | bash, running commands as root, storing plaintext credentials in a project .env file, and not advising verification or least-privilege practices. Those patterns raise supply-chain and operational security concerns (executable remote downloads and npm install li