qshell
Fail
Audited by Snyk on Apr 6, 2026
Risk Level: HIGH
Full Analysis
HIGH W007: Insecure credential handling detected in skill instructions.
- Insecure credential handling detected (high risk: 1.00). The prompt includes commands that embed secrets as CLI arguments (e.g., qshell account , awsfetch/alilistbucket with ) and instructs the agent to execute or emit those commands, which requires handling/outputting secret values verbatim.
MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).
- Potentially malicious external URL detected (high risk: 0.90). The included install script (references/install.sh) is executed at runtime when qshell is missing and it fetches/releases data from https://api.github.com/repos/qiniu/qshell/releases/latest and downloads a qshell binary via https://kodo-toolbox-new.qiniu.com/qshell-v${VERSION}-${SUFFIX}.tar.gz which is extracted and executed, so these runtime URLs are used to fetch and run remote code required by the skill.
Issues (2)
W007
HIGHInsecure credential handling detected in skill instructions.
W012
MEDIUMUnverifiable external dependency detected (runtime URL that controls agent).
Audit Metadata