ccupp-password-profiler

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill instructs generating password dictionaries from target personal data and old passwords, which requires the agent to include sensitive values and their exact variants verbatim in generated outputs, creating a high exfiltration risk.

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 1.00). High-risk: the skill explicitly describes tooling and workflows to generate social-engineering-based password dictionaries and to perform targeted brute-force attacks (credential guessing) enabling unauthorized access and credential theft.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The skill's installation instructions explicitly fetch and install remote code from https://github.com/WangYihang/ccupp (git clone https://github.com/WangYihang/ccupp.git followed by pipx install .), so external content would be downloaded and executed and is a required dependency.