check-test-code-quality

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 0.90). High-risk supply-chain/backdoor capability: the package includes an automated p7b re-signing workflow combined with embedded signing artifacts and plaintext keystore passwords (OpenHarmony.p12 + "123456"), which would allow anyone with repository access or the tool to generate and replace signed profiles (p7b) that can grant elevated app/system privileges — this is a serious abuse vector even though there is no obvious remote exfiltration or hidden exec payload in the scanner code.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's workflow explicitly requires fetching remote configuration files for R010 ("R010 外部数据依赖: R010需要从远程仓库获取3个配置文件构建子系统-部件映射表" in SKILL.md) and its R012/R012_* guides reference and rely on public gitcode.com documentation, so the agent will ingest untrusted public third-party content that can materially change scanning behavior and fixes.