security-supply-chain

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.80). The skill reads and rewrites the project's .npmrc and instructs the agent to "preserve all existing settings" when editing, which forces the LLM to receive and reproduce any auth tokens or registry credentials present in that file (verbatim) when producing the edited file — creating an exfiltration risk.