gangtise-copilot

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt instructs collecting accessKey/secretAccessKey (or accepting them via --access-key/--secret-key CLI flags) and shows credential JSON templates that must contain the exact secret values, which requires the agent to handle and potentially output secrets verbatim (an explicit high-risk pattern).

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.80). Suspicious — the flow instructs cloning and running shell scripts from an unvetted GitHub account (daymade) and downloading ZIPs from a cloud OBS bucket (gts-download.obs.myhuaweicloud.com), which can deliver and execute arbitrary code and exfiltrate credentials; while GitHub and the gangtise auth endpoint look legitimate, they do not eliminate the risk of malicious or compromised install scripts.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The SKILL.md and references/skill_registry.md show the wrapper installs and routes to upstream skills that fetch and ingest open/public third-party content — notably gangtise-web-client (public web search from open.gangtise.com) and gangtise-wechat-summary (WeChat group chat ingestion) — and those results are read and used by workflow skills (e.g., gangtise-opinion-pk, gangtise-stock-research), so untrusted/user-generated content can materially influence the agent's analysis.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). Yes — the installer fetches and installs code at runtime from external repositories (e.g., git clone https://github.com/daymade/claude-code-skills.git and curl/unzip from https://gts-download.obs.myhuaweicloud.com/skills/), which are remote archives/scripts that get written and executed locally, so the fetched content can directly control agent behavior.