huawei-cloud-cce-env-assessment

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill explicitly asks for Huawei Cloud AK/SK, instructs saving them into environment variables and using them in hcloud CLI commands (including --cli-access-key/--cli-secret-key), which requires the agent to handle and potentially emit secret values verbatim.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.85). Step 3 (scripts/collect_all.py) ingests outsider-authored free text by cloning Dockerfile_REPO_URL (user-supplied but not authored by the operating user) and reading api/Dockerfile and web/Dockerfile contents into data/cloud-native-collection.md (then used for scoring/report); this is indirect prompt injection via repository text.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 1.00). The skill explicitly instructs the agent to try sudo when encountering permission problems (Rule 3), which encourages privilege escalation and modifying the machine state, so it should be flagged.

MEDIUM W021: Hidden or invisible Unicode characters detected (potential obfuscation or prompt injection).

• Hidden Unicode characters detected (1 type(s) found)