appdeploy

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill instructs the agent to read an api_key from a .appdeploy file (or obtain one) and to place it verbatim into Authorization headers/curl commands (e.g., "Authorization: Bearer {api_key}"), which requires the LLM to output secret values directly.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The skill requires runtime calls to the external MCP JSON-RPC endpoint (https://api-v2.appdeploy.ai/mcp) — specifically to call get_deploy_instructions that return constraints/instructions the agent must follow before generating code — so fetched content directly controls agent prompts and is a required dependency.