supply-chain-attack-recon

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.90). The skill explicitly instructs scanning for and reporting leaked credentials (e.g., grep for "_authToken=", trufflehog over images, and reporting "leaked npm token!"), and its required deliverables ask for concrete leaked items/paths — which would force the agent to handle and potentially output secret values verbatim.

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.70). Most URLs are reputable advisories, blogs and package-registry API endpoints (not direct .exe/.msi downloads), but the list contains high‑risk supply‑chain vectors—e.g. codecov.io/bash, public npm/PyPI/Go/Docker registry endpoints, and workflow/asset endpoints that enable dependency‑confusion, typosquatting, or curl|bash style execution—so while not intrinsically malware, they are realistic channels attackers use to distribute malware and warrant suspicion in recon.

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 1.00). This document is a high-risk, dual‑use offensive supply‑chain playbook that provides step‑by‑step techniques for dependency‑confusion/typosquatting, GitHub Actions workflow injection, and CI/package preinstall hooks that enable RCE, credential theft, and data exfiltration.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.85). The skill’s runtime workflow enumerates and fetches public GitHub repo contents and workflow files (e.g., gh api .../contents/.github/workflows/$wf and .../contents/package.json), which are outsider-authored free text from third parties (public repos/organizations not authored by the operating user) and can be ingested into the agent’s LLM context via the fetched file contents.