godspeed

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt explicitly demonstrates passing a token as a command-line argument (godspeed login --token ), which requires inserting the secret verbatim into generated commands and therefore poses an exfiltration risk.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill's install instructions explicitly run a remote install script via curl -fsSL https://raw.githubusercontent.com/syxs/godspeed-cli/master/install.sh | bash (and the CLI's setup command invokes npx -y skills add Lag0/godspeed-cli), which fetches and executes remote code at install/runtime and is required for the skill to operate.