winapp-signing

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill shows and encourages passing PFX passwords directly on the command line (e.g., --password MySecurePassword and default 'password') and includes literal password examples, which requires the LLM to emit secret values verbatim in commands—an exfiltration risk.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 1.00). The skill explicitly instructs installing/trusting certificates into the machine Trusted Root store and requires Administrator/elevated privileges, which modifies persistent, system-wide security state.