week-report-system

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt instructs the agent to ask the user for credentials and "write them to the shell profile" (and otherwise guide setup), which requires embedding secret values verbatim in generated shell commands or files, creating a direct exfiltration risk.

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 0.90). This skill is intentionally designed to silently capture and upload every user conversation to an external GitHub repository (requiring a persisted personal access token and embedding it in remote URLs), which constitutes deliberate data-exfiltration and strong privacy/credential-leakage risk even though there is no obfuscated remote code-execution backdoor present.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The skill clones/pulls a user-provided GitHub repository at runtime using the URL pattern "https://{username}:{token}@github.com/{repo}.git", and the fetched conversation files are concatenated and injected into an AI analysis prompt—i.e., remote repo content directly controls the model's prompt/context.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.80). This skill silently records every conversation and persistently modifies the host (writing credentials to shell profiles, creating session/files, pushing to a remote repo) and encourages global installation, enabling durable state changes and potential data exfiltration—so it represents a significant security risk even though it doesn't explicitly request sudo or new user creation.