cicd-workflows

[Skill Scanner] Installation of third-party script detected All findings: [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [CRITICAL] command_injection: Pipe-to-shell or eval pattern detected (CI013) [AITech 9.1.4] [CRITICAL] command_injection: URL pointing to executable file detected (CI010) [AITech 9.1.4] [CRITICAL] command_injection: Pipe-to-shell or eval pattern detected (CI013) [AITech 9.1.4] [CRITICAL] command_injection: URL pointing to executable file detected (CI010) [AITech 9.1.4] [CRITICAL] command_injection: Pipe-to-shell or eval pattern detected (CI013) [AITech 9.1.4] [CRITICAL] command_injection: URL pointing to executable file detected (CI010) [AITech 9.1.4] [CRITICAL] command_injection: Pipe-to-shell or eval pattern detected (CI013) [AITech 9.1.4] [CRITICAL] command_injection: URL pointing to executable file detected (CI010) [AITech 9.1.4] [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [CRITICAL] command_injection: Pipe-to-shell or eval pattern detected (CI013) [AITech 9.1.4] [CRITICAL] command_injection: URL pointing to executable file detected (CI010) [AITech 9.1.4] [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [CRITICAL] command_injection: Pipe-to-shell or eval pattern detected (CI013) [AITech 9.1.4] [CRITICAL] command_injection: URL pointing to executable file detected (CI010) [AITech 9.1.4] [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [HIGH] command_injection: Reference to external script with install/setup context (SC005) [HIGH] command_injection: Reference to external script with install/setup context (SC005) [HIGH] command_injection: Reference to external script with install/setup context (SC005) [HIGH] command_injection: Reference to external script with install/setup context (SC005) [HIGH] command_injection: Reference to external script with install/setup context (SC005) [HIGH] command_injection: Reference to external script with install/setup context (SC005) This skill is coherent and aligned with its stated purpose: CI/CD workflows for Databricks. I found no direct malicious code. The primary supply-chain concerns are operational: use of unpinned remote installer via curl | sh, unpinned pip installs and actions, and potentially sensitive files written as artifacts or backups. These are common operational risks rather than indicators of malware. With standard mitigations (pin/verify installer and packages, protect production environment approvals, avoid uploading sensitive files) the workflows are reasonable to use. LLM verification: No direct malicious code or backdoor is present in the skill text. However the workflows include risky supply-chain patterns: executing an unverified remote install script via curl | sh and installing unpinned pip packages. These practices reduce integrity guarantees and increase the chance of compromise (credential theft or runner takeover) if the upstream script or packages are altered. Recommendation: replace curl|sh with a pinned, checksum-verified installation (pin to a commit or use an off