harmonyos-device-automation

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.90). The prompt includes examples that embed plaintext credentials directly into CLI/act prompts (e.g., filling a password field with 'pass123') and shows API key values in .env examples, which encourages the agent to handle and output secret values verbatim, creating an exfiltration risk.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill requires running the CLI via "npx @midscene/harmony@1", which at runtime will fetch and execute package code from the npm registry (e.g. https://registry.npmjs.org/@midscene/harmony), so external code is downloaded and executed as a required dependency.