tina-schema-sync

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.80). This skill instructs sourcing .env and explicitly echoing environment variables (printing the token prefix) and uses env values in inline command assignments, which requires reading and can expose secret values in output, so it presents a credential-exfiltration risk.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.70). The skill directs operators to run "npx tinacms dev", which will fetch and execute the tinacms package from the npm registry at runtime (e.g. https://registry.npmjs.org/tinacms), so remote code is fetched and executed as a required dependency.