mcp-installer

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The installer flow explicitly pauses to collect user-provided secrets and then merges/writes those values into JSON configs and into base64-encoded Trae deep-links (which are reversible), meaning the LLM would need to emit the secret values (or encodings of them) verbatim in generated output.