ccboard

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt explicitly describes showing "full command and arguments" and "environment variables with values" from MCP/server configs and Claude directories, which would require the agent to read and output secret tokens or API keys verbatim.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill's install instructions/scripts invoke remote installers (e.g., "curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh") and also reference cloning the repository (https://github.com/{OWNER}/ccboard), which fetch and execute remote code as part of setup and are required to obtain the Rust/cargo toolchain and source, so they constitute runtime external code execution risk.