kamal-deploy

[Skill Scanner] Installation of third-party script detected All findings: [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [HIGH] data_exfiltration: Credential file access detected (DE002) [AITech 8.2.3] BENIGN overall with minor risk signals: The fragment is a legitimate deployment guidance document for Kamal and does not include executable malware or backdoors. The primary concerns are the presence of plaintext credential examples in documentation and the inclusion of an external hook that transmits data (Honeybadger) which users should opt-in to. To improve security posture, ensure all published examples use clearly labeled placeholders, sanitize any copied snippets, and provide guidance to review and authorize external webhook destinations before enabling hooks. Additionally, recommend storing secrets exclusively in .kamal/secrets and never in Git or deploy.yml without proper protection. LLM verification: The skill is functionally consistent with its stated purpose (Kamal deployment guidance) but includes risky operational recommendations: mandatory external WebFetch calls, recommending plaintext .kamal/secrets, unpinned gem/apt installs, and hook examples that can exfiltrate environment variables. These practices increase supply-chain and credential-exfiltration risk. I assess the content as SUSPICIOUS from a supply-chain/security perspective (not overtly malicious, but several risky instruction