performing-security-code-review

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill explicitly instructs the agent to scan for hardcoded secrets and to include per-finding "code snippet" entries in the report (file path, line number, code snippet), which would require exposing secret values verbatim unless redaction is enforced.

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 0.90). The repository includes explicit, intentionally malicious constructs — notably a MaliciousClass that serializes to a payload invoking os.system("rm -rf /") (base64-encoded pickled data) and unsafe deserialization/command-execution patterns (subprocess.run with shell=True) that are ready-to-run, indicating deliberate inclusion of destructive RCE behavior rather than mere accidental insecurity.