fragments-cloud-setup

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt explicitly instructs the agent to ask the user to paste their Fragments Cloud API key (or accept it as an argument) and then write that key verbatim into .env/.env.local, which requires the LLM to handle and output secrets directly.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.70). The skill instructs installing and running the remote package @fragments-sdk/govern (https://www.npmjs.com/package/@fragments-sdk/govern) at runtime via the package manager and npx, which will fetch and execute remote code as a required dependency.