localtunnel-auto-expose

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). Insecure: the skill explicitly tells the agent to fetch the LocalTunnel access password and then display the exact password and public URL verbatim to the user, requiring the LLM to handle secret values in its output.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill invokes "npx localtunnel --port ..." at runtime, which fetches and executes the remote npm package (e.g. https://registry.npmjs.org/localtunnel), so external code is retrieved and run as a required dependency.