developer-portfolio

[Skill Scanner] Destructive bash command detected (rm -rf, chmod 777) All findings: [CRITICAL] command_injection: Destructive bash command detected (rm -rf, chmod 777) (CI004) [AITech 9.1.4] [CRITICAL] command_injection: Destructive bash command detected (rm -rf, chmod 777) (CI004) [AITech 9.1.4] This document is a benign README for a Next.js portfolio template. It does request sensitive environment variables (Telegram bot token, Gmail app password, Vercel token) and suggests removing git history, which increases operational risk if users do not secure or review secrets and the template code. No direct malicious code or obfuscated payloads are present in the provided fragment. The main risks are credential misuse or accidental leakage during deployment and the loss of provenance from removing .git. Recommend: review the actual template source code before setting secrets or deploying; avoid committing secrets; use per-purpose, scoped tokens and rotate them; prefer using provider-native secret storage for deploys rather than embedding tokens in CLI history. LLM verification: This SKILL.md is a legitimate-looking Next.js portfolio template with appropriate install/build/deploy instructions. However, it contains destructive shell commands (rm -rf .git and moving hidden files) and asks for sensitive credentials (GMAIL app password, Telegram bot token, VERCEL_TOKEN) which — while plausible for the stated features — must be handled carefully. No direct evidence of malware or credential exfiltration is present in the provided content, but supply-chain risks (unvetted depe