sher-deploy

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt includes a --pass [password] CLI option and explicitly instructs the agent to "share the password", which requires accepting and echoing a plaintext secret (and suggests passing it as a command-line argument), creating a high exfiltration risk.

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.70). This is an ephemeral user-generated preview URL on sher.sh (random subdomain serving arbitrary uploaded content), not an official vendor CDN or package manager, so while it’s not a direct .exe download it can host malicious files or scripts and should be treated as moderately risky unless you trust the publisher.