electric-deployment

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.90). The prompt contains examples that embed credentials verbatim (e.g., DATABASE_URL with user:password, POSTGRES_PASSWORD: password, and docker run -e ELECTRIC_SECRET=my-secret-key), which encourages or requires the agent to output secrets directly in commands/configs.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill includes runtime commands that fetch and execute remote code — notably "npx @electric-sql/start my-app" (which pulls and runs a package from the npm registry, e.g. https://registry.npmjs.org/@electric-sql/start) and Docker images like electricsql/electric:latest and postgres:16-alpine (pulled from Docker Hub), so external content is executed at runtime.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.80). The skill instructs modifying Postgres system configuration files (postgresql.conf, ALTER SYSTEM) and deploying services (Docker Compose, volume mounts) which change machine/server state and may require elevated privileges, so it can compromise the host state.