ln-030-vps-bootstrap

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt tells the operator to hand API keys/SSH keys/tokens to the LLM and explicitly instructs Claude to substitute those values into templates and generated commands/files (e.g. headers like --header "x-ref-api-key: ${REF_API_KEY}", rendered unit files, secrets.env), which requires the model to handle and output secret values verbatim.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly fetches and installs third‑party code and marketplace content (AGENT_SKILLS_REPO_URL / GitHub clone and Claude plugin marketplace in Step 5c) and ingests untrusted, user‑generated content at runtime via the dispatcher (references/dispatch.md — reading GitHub/GitLab issue bodies) and the Telegram relay-bot (Step 7c), all of which the agent is expected to read and act on, creating a clear avenue for indirect prompt injection.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill fetches and executes remote install code at runtime via curl|bash from https://raw.githubusercontent.com/nvm-sh/nvm/v0.40.1/install.sh and also clones the external marketplace https://github.com/levnikolaevich/claude-code-skills.git at runtime to install plugins that directly control agent prompts/instructions, both of which are required for the skill to operate.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 1.00). The prompt explicitly instructs creating a system user, installing packages, writing system-wide files (under /etc, /usr/local), adding systemd units, and running root/sudo commands over SSH, which directly modifies privileged machine state and requests privilege-escalated actions.