inconvo-cli

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill explicitly documents and examples using an --api-key flag (showing non-interactive --api-key <key>) which encourages embedding API keys as command-line arguments, forcing an agent to place secret values verbatim into generated commands — a high exfiltration risk.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The docker-compose references pull and run remote container images at runtime (ghcr.io/inconvoai/inconvo/dev-server:${INCONVO_VERSION:-latest} and postgres:16-alpine), which will fetch and execute remote code as a required dependency when running npx inconvo dev/docker compose.