kwc-project-scaffold

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill explicitly instructs the agent to ask the user to provide sensitive fields (client id, client secret, username, env URL, app) and to collect them in chat/inputs, which requires the LLM to receive and potentially output those secret values verbatim, creating an exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill's workflow (SKILL.md) instructs running kd CLI commands that fetch external resources—e.g., "kd project init" (which performs git clone to download templates) and "kd env auth openapi" (which reads a target environment's data-center list and other OpenAPI responses from a user-supplied env URL)—so the agent is expected to ingest and act on arbitrary third-party environment/API outputs that could influence subsequent actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill requires runtime network operations that fetch and execute remote content and drive interactive prompts — e.g., installing the CLI from an npm registry (example internal registry URL: http://172.17.52.48:8081/repository/npm-group used with "npm i -g @kdcloudjs/cli") and creating/authenticating an environment against https://feature.kingdee.com:1026/feature_dev/ (used with "kd env create" / "kd env auth openapi" which fetches data-center choices) — both are fetched at runtime and are required for the skill to operate.