x-cmd-security

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.80). The prompt includes an explicit example of passing a Shodan API key as a command-line argument (x shodan --cfg key=<your-shodan-api-key>), which encourages embedding secret values verbatim in generated commands and thus presents an exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). This skill queries public internet intelligence via Shodan (e.g., x shodan host/scan/download, DNS/scan commands) which ingests and returns data from arbitrary public hosts/services (untrusted third‑party content) that the agent is expected to read and interpret.