afs

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt explicitly shows and instructs embedding access keys and secret access keys directly in config commands and examples (CLI args and config files), which requires the agent to include secret values verbatim and thus creates an exfiltration risk.

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.80). Although most entries are legitimate S3/R2/OSS provider endpoints and examples, the skill explicitly instructs a direct "curl https://raw.githubusercontent.com/.../install.sh | bash" (and references S3/R2/backblaze-hosted files and presigned URLs) — patterns that enable arbitrary executable/script distribution from untrusted/unknown accounts, so this set is moderately-high risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The SKILL.md explicitly supports cloud operations (e.g., "afs cloud download", "afs cloud list", and the "Cloud sync workflow") that fetch files from arbitrary S3-compatible endpoints configured by the user and states "All commands return standardized JSON for AI Agent parsing", so the agent will ingest and act on untrusted third‑party file content from public/remote buckets which could contain instructions that influence subsequent actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The Quick start includes an installation command that fetches and immediately executes remote code via "curl -fsSL https://raw.githubusercontent.com/geekjourneyx/agent-fs/main/scripts/install.sh | bash", so the URL is used to execute remote code during setup and is a required dependency.