adk-scaffold

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt includes flags like --google-api-key and examples of running CLI commands with flags, which encourages embedding API keys/secrets directly into generated commands (an insecure verbatim exposure pattern).

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.90). The URL is a direct link to a shell installer (install.sh) on a third‑party domain and encouraging curl | sh style installation can execute arbitrary code on the host, so unless you trust and have verified the publisher (astral.sh) this is high risk.