dotnet-build-analysis

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt includes an explicit example that embeds a PAT on the command line ("dotnet nuget update source ... --password $PAT --store-password-in-clear-text"), which is an insecure pattern that would require the agent to place secret values verbatim into generated commands.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill includes explicit runtime install commands that fetch and execute remote scripts (iex/irm and curl|sh) from the shortened URLs https://aka.ms/install-artifacts-credprovider.ps1 and https://aka.ms/install-artifacts-credprovider.sh, which would run remote code when followed.