project-setup

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.80). The skill instructs the agent to "collect variables" (including "any other values the blueprint requires") and to "copy fragments verbatim" replacing {{template_variables}} with actual values, which would cause the LLM to embed whatever values (including API keys or passwords) it is given directly into generated files/commands and thus risks exfiltrating secrets; there is no guidance to use environment variables or avoid printing secrets.

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 0.90). The content intentionally provisions persistent, centrally controlled agent configurations (seeded/symlinked from ~/.devcontainer-state), distributes remote MCP server endpoints to all agents, and mandates installing third‑party "skills" and running post_create/post_start scripts—patterns that enable supply‑chain injection, persistent backdoors, and covert exfiltration/remote‑execution by whoever controls the devcontainer-state and skill packages.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill explicitly requires fetching and using remote repositories and packages at runtime—notably git@github.com:loxosceles/devcontainer-state.git (cloned and providing post_create.sh/post_start.sh that run), loxosceles/project-blueprints (blueprints read at runtime to drive all instructions), and the runtime command "npx skills add loxosceles/ai-dev" (which installs/executes remote skill code)—so external content is fetched, controls prompts/behavior, and is required.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.90). The skill instructs the agent to perform and to ask the user to perform filesystem-modifying operations on the host (including installing packages, creating symlinks, pre-creating mount targets) and explicitly tells the user to run a destructive sudo rm -rf on ~/.devcontainer-state if it is root-owned, which encourages privilege use and risky state changes on the machine.