eliteforge-sonar-pmd-generator

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill explicitly references initializing a Sonar token and includes a scan command example with -Dsonar.token=, which encourages embedding authentication tokens directly into generated commands/outputs and thus requires handling secrets verbatim.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill's runtime includes a docker run that will pull and execute the remote SonarQube image (sonarqube:community) — a required external artifact for the end-to-end workflow that causes execution of fetched remote code.