eve-bootstrap

[Skill Scanner] Installation of third-party script detected All findings: [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [HIGH] data_exfiltration: Credential file access detected (DE002) [AITech 8.2.3] [HIGH] data_exfiltration: Credential file access detected (DE002) [AITech 8.2.3] [HIGH] data_exfiltration: Credential file access detected (DE002) [AITech 8.2.3] [HIGH] data_exfiltration: Credential file access detected (DE002) [AITech 8.2.3] Functionally the instructions are internally coherent for bootstrapping an Eve project: the capabilities match the stated purpose (profile creation, auth request, polling for approval, storing credentials, and project manifest bootstrapping). There is no embedded executable malware in this document. However, the skill directs the user/CLI to communicate with non-standard staging domains (api.eh1.incept5.dev and web.incept5-evshow-staging.eh1.incept5.dev). That creates a supply-chain / trust risk: sensitive items (SSH public key, eventual auth token stored in ~/.eve/credentials.json, org/repo metadata) will be sent to those endpoints. If those endpoints are not trusted or are impostors, the user could inadvertently hand credentials or project control to a third party. Recommend verifying the intended API/web endpoints and confirming the operator is interacting with the official service before proceeding. Overall verdict: SUSPICIOUS (trusted-looking functionality but potentially risky endpoints and credential flows). LLM verification: This skill’s documented behavior is internally consistent with an onboarding/bootstrap tool: it needs SSH public keys, user metadata, and stores a token locally after a remote approval flow. There is no direct evidence of obfuscation or embedded malicious code in the provided skill text. However, all sensitive data (SSH public key and resulting auth token) is sent to and issued by the referenced API/web endpoints under the incept5.dev domain rather than a well-known public Anthropic domain; that