winapp-package

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt includes explicit examples that pass certificate passwords and secret paths as command-line arguments (e.g., "--cert-password MyP@ssw0rd" and CI usage "--cert-password ${{ secrets.CERT_PASSWORD }}"), which instructs embedding secret values verbatim in commands and outputs.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.90). The skill instructs installing/trusting certificates and installing MSIX packages (noting "requires admin"), which modify system trust/install state and therefore pushes actions that change the machine and require elevated privileges.