minio

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.70). The skill instructs fetching and installing a remote binary (curl -O https://dl.min.io/client/mc/release/linux-amd64/mc followed by chmod/move), which downloads and executes remote code that the skill requires at runtime.

HIGH W008: Secret detected in skill content (API keys, tokens, passwords).

• Secret detected (high risk: 1.00). I looked for high-entropy, literal values that appear to be real credentials and ignored placeholders (e.g., "your-access-key"), simple/example passwords, and environment variable names. The documentation includes a concrete Access Key and Secret Key in the "For testing, use MinIO Play" section:
• MINIO_ACCESS_KEY="Q3AM3UQ867SPQQA43P2F"
• MINIO_SECRET_KEY="zuf+tfteSlswRu7BJ86wekitnifILbZam1KYY3TG"

These are high-entropy, literal values (not placeholders) and are directly usable credentials. Note: these are the well-known MinIO Play public sandbox credentials (intentionally published by MinIO), so they are likely not sensitive for production — but they meet the definition of real, usable credentials and therefore must be flagged. No other high-entropy secrets or private keys were found; other values are placeholders or env var names.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.80). The skill explicitly includes commands that invoke sudo (e.g., "sudo mv mc /usr/local/bin/") to install a binary, which instructs performing privileged modifications to the host filesystem and thus pushes the agent toward changing the machine state.