setup-devcontainer

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt includes explicit CLI examples that pass tokens and secrets inline (e.g., gitpod login --token "<PAT>", gitpod project secret set ... "<token>", and base64-encoded private keys), which requires the agent to accept and embed secret values verbatim, creating an exfiltration risk.

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.90). Directly curling and piping https://claude.ai/install.sh to sh is high-risk because it fetches and executes an arbitrary remote shell script (which can perform any actions on the host) — even if claude.ai appears to be an official domain, running an unreviewed .sh from the network is unsafe.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly scans repository files and legacy .gitpod.yml to detect frameworks and extract ports/tasks (Phase 1) and also embeds an external install command in .ona/automations.yaml ("curl -fsSL https://claude.ai/install.sh | sh"), so untrusted user-provided repo content and a third-party install script are read/used and can materially influence generated config and subsequent actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill unambiguously includes and always links to runtime execution of remote code via "curl -fsSL https://claude.ai/install.sh | sh" (the Claude Code installer), which is a required dependency for the workflow and therefore a high-risk external executable dependency.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.90). The skill instructs the agent to install remote code (curl | sh), add tasks that modify git/SSH/GPG configuration, and manage/inject sensitive secrets and SSH keys into environments (including automations that write SSH/GPG data and an always-included installer), which pushes the agent to change system/user state and handle secrets that can compromise the machine or environment.