payram-headless-setup

[Skill Scanner] URL pointing to executable file detected All findings: [CRITICAL] command_injection: URL pointing to executable file detected (CI010) [AITech 9.1.4] [HIGH] command_injection: Reference to external script with install/setup context (SC005) [HIGH] data_exfiltration: Credential file access detected (DE002) [AITech 8.2.3] [HIGH] data_exfiltration: Credential file access detected (DE002) [AITech 8.2.3] The PayRam Headless Setup description is largely coherent and aligned with its intended automation-centric deployment. However, the review identifies significant supply-chain and secret-management risks: plaintext storage of tokens/mnemonics, potential credential leakage through environment variables and logs, and reliance on downloaded scripts from a public repository without integrity verification. To elevate safety, implement verified script delivery (signatures/checksums), encrypt at-rest secrets or restrict file permissions, minimize secret exposure in logs, and add robust auditing and secret rotation policies. Overall, the baseline is acceptable for non-production use with strong caveats; in production, apply the recommended hardening steps to reduce risk. LLM verification: The skill's documented capabilities align with its purpose (headless payment setup), but it includes several risky behaviors that elevate supply-chain and operational risk: executing an unverified remote install script from raw.githubusercontent, storing sensitive tokens and mnemonics in plaintext files, and automating wallet deployments and fund sweeps with quiet/non-interactive flags. I rate this as suspicious rather than overtly malicious: it is coherent with legitimate use but offers high-pr