project-tooling

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.80). The prompt explicitly asks the agent to request the user's Render API key and shows commands that place the key verbatim into environment files (export/echo to .env), so the agent may be instructed to collect and embed secret values directly.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.70). The GitHub Actions referenced in the CI workflows (e.g., uses: actions/checkout@v4 → https://github.com/actions/checkout, uses: amondnet/vercel-action@v25 → https://github.com/amondnet/vercel-action, and uses: supabase/setup-cli@v1 → https://github.com/supabase/setup-cli) are runtime external dependencies that fetch and execute remote code during CI runs, so they meet the criteria for an external code-executing dependency.