capawesome-native-builds

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt includes examples that embed secrets directly in CLI arguments (notably --secret "API_KEY=sk-abc123" and password flags like --password <KEY_PASSWORD>), which requires the agent to output or handle secret values verbatim and thus poses an exfiltration risk.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.70). The skill repeatedly instructs running npx/npm to fetch and run external packages (e.g., npx @capawesome/cli), which at runtime executes remote code from the npm registry (example package URL: https://www.npmjs.com/package/@capawesome/cli), and the CLI is a required dependency for the workflow.