hz-store-pwa

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.90). The skill contains examples and instructions that require inserting sensitive values verbatim (e.g., the upload command with --app-secret and prompts to collect keystore passwords/aliases), which encourages placing secrets directly in commands or agent output and creates exfiltration risk.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill instructs downloading and running the Meta upload binary via curl from https://www.oculus.com/download_app/?id=1462426033810370&access_token=OC%7C1462426033810370%7C (curl -L -o ovr-platform-util ... && chmod +x ./ovr-platform-util && ./ovr-platform-util ...), which fetches and executes remote code at runtime and is a required dependency for the upload step.