elestio

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill explicitly requires the agent to receive API tokens and other secrets and shows/uses commands that embed those secrets verbatim on the command line (e.g., elestio login --token, s3-backup --key/--secret, cicd registry-add --password), forcing the LLM to handle and output secret values directly.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's CI/CD flow explicitly accepts arbitrary GitHub/GitLab repositories and auto-creates pipelines (see "elestio cicd create --auto --target --name my-app --repo owner/repo --mode github" and the "Auto-create pipeline flow" in SKILL.md), meaning the agent will cause fetching and interpretation of untrusted, user-generated repo content that can change deployment actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The README instructs running curl -fsSL https://raw.githubusercontent.com/elestio/elestio-skill/main/scripts/install.sh | bash which fetches and external script and executes it (and that script in turn git-clones https://github.com/elestio/elestio-skill), so there is clear runtime fetching and execution of remote code used to install/run the skill.