senhasegura-skill

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt contains numerous examples and templates that place client_secrets, access tokens, private keys, and passwords directly into curl commands, config files, and API requests, which would require an agent to emit secret values verbatim in its output.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill's CI/kubernetes examples download and execute the DSM CLI at runtime from https://github.com/senhasegura/dsmcli/releases/latest/download/dsm-linux-amd64, which is a required runtime dependency that fetches and runs remote code to perform secret injection.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.80). The skill explicitly instructs privileged system changes (e.g., using sudo mv to install a CLI into /usr/local/bin) and guides installing/altering runtime components (helm/kubectl, creating Secrets/CRDs) which modify the machine/cluster state and require elevated privileges.