gigaverse

[Skill Scanner] Credential file access detected All findings: [HIGH] data_exfiltration: Credential file access detected (DE002) [AITech 8.2.3] [HIGH] data_exfiltration: Credential file access detected (DE002) [AITech 8.2.3] This SKILL.md is documentation for a game-oriented AI skill and is internally consistent: the capabilities described match the API endpoints and the credential usage. There is no evidence in this file of malicious code, exfiltration to third parties, or obfuscation. The main security concerns are operational: the documentation encourages or demonstrates storing private keys and JWTs in plaintext files and using shell commands that can leak secrets. Because the referenced scripts (setup.sh, auth.sh) are not provided, their contents could change this assessment; review of those scripts is recommended. Overall assessment: likely benign functionality with moderate operational risk due to secret handling practices. LLM verification: Based on the provided SKILL.md alone, the skill's declared capabilities match its documented requirements and data flows: it needs a wallet and a JWT to call the Gigaverse API and to perform game actions. The principal security concern is handling highly sensitive credentials (private key and JWT). The documentation warns users not to expose private keys, which is appropriate, but it also shows plaintext persistence of JWT and references config paths without prescribing secure file permissions o