hap-v3-api

[Skill Scanner] Backtick command substitution detected All findings: [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] [HIGH] data_exfiltration: Credential file access detected (DE002) [AITech 8.2.3] Report 2 accurately identifies both the functional intent and the meaningful security concerns of automatic credential extraction from local MCP configurations. It rightly flags credential exposure risks (console logging, multi-config ambiguity) and recommends safeguards. To improve, the fragment should incorporate explicit user consent prompts, redact secrets in logs, limit local file reads to scoped contexts, and provide clear opt-in/opt-out controls. Overall, it is acceptable as a technical assessment with actionable security caveats, but requires tightening of credential handling for production use. LLM verification: The code/instructions are functionally legitimate for integrating with Mingdao HAP V3 and automating retrieval of HAP-Appkey/HAP-Sign from MCP config. However, the guidance advocates broad, automatic scanning of environment variables, processes and many local configuration files and includes examples that print secrets and modify global settings. Those behaviors create a significant privacy and credential-harvesting risk when executed autonomously or without user consent. No direct signs of malw