github-workflow

[Skill Scanner] Installation of third-party script detected All findings: [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] This skill's code and examples are coherent with its stated purpose: automating GitHub Actions workflows, targeted testing, security scanning, and adaptive deployment. The most sensitive capability is use of the repository's GITHUB_TOKEN via the gh CLI to read run logs and create issues — this is necessary for the claimed features but is a privileged operation and should be granted minimally. No evidence of hardcoded secrets, obfuscated malware, or third-party credential harvesting was found. Main concerns are operational: ensure workflow permissions are least-privilege, validate JSON merging for security-results.json, and review auto-fix steps to avoid unintended side effects. Overall the artifact appears benign but with normal CI workflow privileges that must be controlled. LLM verification: No deliberate malware or explicit exfiltration code detected in this file. The examples serve legitimate CI/CD automation purposes but include risky practices that raise supply-chain and operational security concerns: unpinned package installs, executing install-time scripts as auto-fixes, brittle JSON concatenation for scan outputs, and broad use of GH_TOKEN to modify repo state. Treat these templates as potentially hazardous if used as-is in environments that accept untrusted contributions; ha