act

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt shows and recommends passing secrets as literal values on the command line and in a .secrets file (e.g., act -s GITHUB_TOKEN=ghp_xxxxx, API_KEY=key123), which would require an agent to accept and embed secret values verbatim in commands or files — an exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill instructs fetching and executing third-party artifacts (e.g., install script from raw.githubusercontent.com, public Docker images like catthehacker/ubuntu on Docker Hub, and GitHub Actions referenced in workflow files) that act will pull and run as part of its workflow, so it consumes untrusted public content.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 1.00). The prompt explicitly instructs running privileged commands (e.g., curl ... | sudo bash, sudo systemctl start docker, sudo usermod -aG docker $USER) that request sudo and modify system state, so it pushes the agent to perform privileged, state-changing actions.