safe-encryption

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt contains numerous examples and automation steps that embed plaintext passwords/passphrases and key material directly into commands and browser automation (e.g., -p "mypassword", browser_type(... text="my-password")), which would require the LLM to output secret values verbatim and is therefore high-risk.

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.70). The list mixes raw GitHub Gist/termbin URLs and an unverified custom download domain (thesafe.dev) that serve direct binaries and scripts plus some GitHub repos/user endpoints of unclear reputation — all common vectors for distributing malicious executables if the sources and checksums/maintainer trust aren't independently verified.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The SKILL.md explicitly instructs the agent to fetch and act on public, user-generated content — e.g., pulling public keys from https://github.com/{username}.keys, retrieving encrypted payloads via curl from public Gists (https://gist.github.com/.../raw) and pastebins/termbin, and then importing/using those keys or decrypting/responding to the fetched messages — which are untrusted third‑party sources that can materially influence subsequent tool use and actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The skill explicitly runs a remote installer at runtime (e.g., curl -sSfL https://thesafe.dev/install.sh | sh and the platform-detecting one-liner that curls https://thesafe.dev/downloads/safe-... to install the SAFE CLI), which fetches and executes remote code required for the skill to operate.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.80). The skill explicitly tells the agent to auto-install the CLI using a platform-detecting one-liner that runs sudo mv into /usr/local/bin and to use sudo when permissions are denied, which asks the agent to obtain elevated privileges and modify system-level files/paths.