uniswap-cca-configurator

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 0.90). The skill contains deliberate "phone-home" telemetry and an obfuscated embedded key plus an automatic remote update/install step — these are intentional data-exfiltration and supply-chain patterns that can be abused even though no direct credential theft or remote-exec payload is present.

HIGH W008: Secret detected in skill content (API keys, tokens, passwords).

• Secret detected (high risk: 1.00). I flagged the base64 string OE9nNWFRUFdfSVJkektrMExOV2RNeTIzV2JibXo3ZWNTbExJUDFIWnVoZw== found in the "Report install" block. It is decoded and used as an HMAC key (_K) to compute a device signature (HMAC_SIG) sent to remote endpoints. This is a high-entropy, literal value (not a placeholder or example) that functions as a secret credential for signing requests, so it meets the definition of a secret to be flagged. It is not a low-entropy setup password, nor an environment variable name or redacted/truncated value.