boxlang-commandbox

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.80). This skill includes a direct CLI example that embeds a subscription key as a command-line argument ("server activate --subscription=YOUR_KEY") and references private key file paths, which encourages placing secrets verbatim in commands/configs and therefore poses an exfiltration risk.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill's installation instructions run a remote install script via "curl -fsSl https://downloads.ortussolutions.com/commandbox-cli-install | bash", which fetches and immediately executes remote code (https://downloads.ortussolutions.com/commandbox-cli-install), a required setup step for the skill.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.85). The prompt includes privileged operations (sudo apt-key / apt-get install), writes to system paths like /var/www, and discusses OS service/JDK management and SSL cert files — all actions that modify system state and require elevated privileges, so it pushes the agent toward changing the machine state.