winapp-signing

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt includes examples and flags that pass PFX passwords directly on the command line (e.g., --password MySecurePassword) and even documents a default password "password", which requires the agent to include secret values verbatim in generated commands/outputs and therefore poses an exfiltration risk.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 1.00). This skill explicitly instructs installing/trusting certificates into the local machine Trusted Root store (via winapp cert install / --install), requires Administrator privileges, and thus modifies persistent system state and security trust settings.