long-term-task-orchestration

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.80). The meta-skill requires Phase 0 to "complete...API Key / model selection, write all variables to .agent.env in one shot," which implies the agent may collect and embed actual API keys/secrets into generated files or commands, forcing the LLM to handle/output secret values verbatim.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill's Phase 0 environment setup explicitly suggests running a runtime install command that downloads and executes remote code ("curl -fsSL https://fnm.vercel.app/install | bash") to install fnm/Node.js, meaning a remote URL is fetched and executed as part of the required setup.