temps-platform-setup

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt routinely shows and instructs using API tokens, passwords, and API keys in command-line flags, CLI non‑interactive login, and example connection strings (e.g., ghp_..., AKIA..., tk_...), which forces any agent following it to accept and emit secret values verbatim in commands and outputs.

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.70). The set includes direct installer scripts and a "curl | bash" install from an external domain (https://temps.sh/deploy.sh) plus third‑party repos (gotempsh/temps) and non‑official domains that could deliver executables — a risky pattern for malware distribution even though some links (GitHub, MaxMind, gitlab.com, localhost) are legitimate.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The skill includes commands that fetch and execute remote code at runtime — notably curl -fsSL https://temps.sh/deploy.sh | bash (downloads and runs a remote install script) and git clone https://github.com/gotempsh/temps.git followed by build/run steps that execute repository code — which directly executes external content.