azure-devops

[Skill Scanner] Backtick command substitution detected This instruction file is functionally aligned with an Azure DevOps automation skill: it legitimately uses AZURE_DEVOPS_TOKEN to call dev.azure.com APIs and to push changes. However, it contains insecure guidance (embedding the PAT in the git remote URL and showing token use directly on the command line) that can lead to credential leakage via .git/config, shell history, or logs. There are no signs of overt malware or obfuscation, but the guidance increases attack surface for token exposure and unintended repository modifications. Recommend removing or warning strongly against inlining tokens in git remotes and favoring secure credential helpers or ephemeral tokens and least-privilege PAT scopes. LLM verification: The code/documentation is not overtly malicious but contains insecure operational guidance that materially increases the likelihood of credential leakage. The single highest-risk instruction is to embed AZURE_DEVOPS_TOKEN directly in the git remote URL (git remote set-url ...https://${AZURE_DEVOPS_TOKEN}@dev.azure.com/...), which persists the PAT in plaintext in .git/config and can expose it via shell history, process listings, backups, or logs. Recommend removing or flagging that guidance, addi