auth-setup

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill explicitly tells the agent to ask the user to paste their API token into chat and then run a command embedding that token (e.g., goldsky login --token USER_PROVIDED_TOKEN), which requires the LLM to receive and output the secret verbatim.

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 0.90). This skill explicitly instructs soliciting API tokens pasted into chat (facilitating credential theft/exfiltration) and recommends running a remote install via "curl ... | sh" with sudo (enabling remote code execution / supply-chain compromise), making it high-risk for abuse even though no obfuscated payloads or direct backdoor code are present.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill instructs the user at runtime to run "curl https://goldsky.com | sh", which fetches and executes remote code from https://goldsky.com, so this external URL is a runtime dependency that executes remote code.