ai-coding-agents

[Skill Scanner] Installation of third-party script detected All findings: [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [HIGH] data_exfiltration: Credential file access detected (DE002) [AITech 8.2.3] The provided fragment is a benign, self-consistent documentation artifact intended to describe how to use Codex CLI and Claude Code CLI as AI coding agents. It does not contain executable code, embedded credentials, or data flows that could leak information. As a skill-guide, it aligns with its stated purpose of documenting tool usage, installation, and workflows. No malicious activity detected within the fragment itself. LLM verification: This file is a usage/configuration document for AI CLI tooling and contains no direct executable malware. However, it demonstrates multiple high-risk operational patterns: passing secrets as env vars in CLI examples, adding external MCP servers via URL or npx (which can receive secrets and workspace data), and explicit promotion of flags that disable permission/safety checks. These patterns materially increase the chance of credential leakage or remote code execution when used against untrusted