wxmini-security-audit

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill's pipeline explicitly extracts secrets into raw_secrets.json and generates "secrets_full.md" containing all sensitive findings (and agents receive raw_secrets.json as input), which requires the agent to read and may output secret values verbatim, creating an exfiltration risk.

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.80). Although many listed entries are harmless placeholders (api.example.com, backend.example.com) or general sites (ara.so), the skill explicitly instructs obtaining an unsigned Windows executable (unveilr.exe) from an unfamiliar GitHub account (nicholaschan23/unveilr) and references another small GitHub repo (sssmmmwww/wxmini-security-audit); downloading and running .exe files from unknown/unverified GitHub users is a notable malware/distribution risk unless the binary is built from audited source and integrity is verified.