winapp-package

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.80). The prompt includes examples and options that pass certificate passwords and PFX paths directly on the command line (e.g., --cert-password MyP@ssw0rd and a default "password"), which encourages embedding secret values verbatim in generated commands.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.70). The skill explicitly instructs installing/trusting certificates (requires admin) and installing MSIX packages on the host—operations that change the system certificate store and install software, so it pushes the agent to perform privileged modifications to the machine state.