deployment

[Skill Scanner] Installation of third-party script detected All findings: [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [CRITICAL] command_injection: Pipe-to-shell or eval pattern detected (CI013) [AITech 9.1.4] [CRITICAL] command_injection: URL pointing to executable file detected (CI010) [AITech 9.1.4] [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [HIGH] command_injection: Reference to external script with install/setup context (SC005) [HIGH] data_exfiltration: Credential file access detected (DE002) [AITech 8.2.3] [HIGH] data_exfiltration: Credential file access detected (DE002) [AITech 8.2.3] [HIGH] data_exfiltration: Credential file access detected (DE002) [AITech 8.2.3] [HIGH] data_exfiltration: Credential file access detected (DE002) [AITech 8.2.3] [HIGH] data_exfiltration: Credential file access detected (DE002) [AITech 8.2.3] [HIGH] data_exfiltration: Credential file access detected (DE002) [AITech 8.2.3] [HIGH] data_exfiltration: Credential file access detected (DE002) [AITech 8.2.3] This is a deployment guidance skill with coherent purpose and matching capabilities. It contains practical examples for CI/CD, Docker, platform CLIs, env validation, health checks, and monitoring. I found no embedded malicious code or obfuscation in the provided content. The primary supply-chain concerns are procedural: (1) executing remote installers via curl | sh (fly.io example) and (2) depending on third-party GitHub Actions (especially unpinned refs) and community deploy actions. Those are common in deployment docs but increase the attack surface and require auditing before use. Overall this skill is BENIGN in intent, but exercise normal supply-chain hygiene: audit installer scripts, pin action versions, and limit secrets scope in CI. LLM verification: This skill is generally coherent and aligned with its stated purpose (deployment guidance). I did not find direct malicious code in the provided documentation and example code, but there are supply-chain and operational risks: executing remote install scripts via curl|sh, unpinned npm installs, and potential logging or CI bypasses that could expose or mishandle secrets. Treat the install instructions cautiously: prefer pinned releases, verify remote install scripts (or use vendor-signed installe