Ark Setup

[Skill Scanner] Installation of third-party script detected All findings: [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [HIGH] data_exfiltration: Credential file access detected (DE002) [AITech 8.2.3] [HIGH] data_exfiltration: Credential file access detected (DE002) [AITech 8.2.3] [HIGH] data_exfiltration: Credential file access detected (DE002) [AITech 8.2.3] This skill is functionally consistent with its stated purpose (building and installing Ark in a local Kind cluster). I found no explicit malicious code or hardcoded secrets in the instructions themselves. However, the workflow requires building and executing code checked out from GitHub/PRs and running npm install/build, and it requires access to the Docker daemon and kubeconfig. That makes the process inherently high-risk for supply-chain or code-execution attacks if the cloned repository or its dependencies are malicious or compromised. Treat execution of these steps on untrusted or public PRs as suspicious and run them in strongly isolated environments with minimal credentials exposed. LLM verification: No explicit malicious code or obfuscation was found in the provided instructions. However, the documented workflow presents a moderate security risk: it executes unverified code (git clone + npm install + node installer) in an environment with Docker and Kubernetes access and it overwrites the user's kubeconfig without backup. This combination could enable credential theft or arbitrary cluster/host modifications if the repository or any npm dependency is malicious or compromised. Recommended mit