deploying-tailscale-for-zero-trust-vpn

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.90). The prompt includes explicit examples of pre-auth keys and authkey usage embedded directly in commands and YAML (e.g., --authkey=tskey-auth-xxxxx, TS_AUTHKEY in stringData), which encourages asking for and inserting real secret values verbatim into outputs/commands.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill includes installation steps that fetch and execute remote code at runtime (e.g., curl -fsSL https://tailscale.com/install.sh | sh and wget https://github.com/juanfont/headscale/releases/latest/download/headscale_linux_amd64 followed by executing the binary), which run remotely-provided code as part of required setup.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.90). The prompt explicitly instructs privileged, state-changing operations (e.g., multiple sudo commands, editing /etc/sysctl.conf, moving binaries into /usr/local/bin, configuring system services, adding NET_ADMIN/sys_module capabilities, and running a control server), which would modify the host system and require elevated privileges.