insforge-cli

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill includes CLI examples and commands that embed secret values verbatim (e.g., deployments env set VITE_INSFORGE_ANON_KEY ik_xxx, inline --env JSON, npx @insforge/cli secrets add <key> <value>, and secrets get which returns decrypted values), which would require an agent to place real secret strings directly into generated commands or outputs.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The docs show runtime installation of remote agent code via "npx skills add insforge/agent-skills" (insforge/agent-skills) during project creation, which directly installs agent skills that can change agent prompts/behavior, and the compute deploy flow accepts external image URLs (e.g., ghcr.io/your-org/your-app:v1 or nginx:alpine) that are fetched and executed as Docker images at deploy time, so these are runtime external dependencies that install/execute remote code.