kalopilot-sender

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.80). The skill explicitly asks the agent to prompt the user for a Telegram bot token and to save it into a config JSON (botToken field), which requires embedding the secret value verbatim into generated files/outputs and thus poses an exfiltration risk.

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.80). This is a third‑party GitHub repository from an individual account that instructs you to run remote Node install scripts and runtime scripts (including installing global packages and handling messaging sessions), which can execute arbitrary code or exfiltrate credentials — so it’s potentially risky unless you verify the source and inspect the code first.